Community discussions

MikroTik App
 
abi
just joined
Topic Author
Posts: 17
Joined: Mon Nov 04, 2019 4:08 pm

IPSEC: Slow download speed

Wed Apr 13, 2022 6:42 pm

Hello, I have a problem with ipsec connection for some time. I have extremely slow download speed (like, 1mbps) and normal upload speed (like 60 mbps). Recently, I have 'refactored' my configuration to move to 7.2 branch, but I can't say I've changed a lot.

To ensure that the problem is not on the other side, I've tried strongswan from laptop (with Mikrotik VPN disabled) and got normal speed for both directions.

Could update break something in configuration? It really looks very strange. I never used hacks like MSS tweaks before and everything was OK. I'm writing this post through VPN and web really looks slow :(

Maybe, something obvious can be found in my config?

I've search the forum and everyone is tweaking MSS, how can I check that it works?
ping -D -s 1400 cnn.com
PING cnn.com (151.101.65.67): 1400 data bytes
1408 bytes from 151.101.65.67: icmp_seq=0 ttl=58 time=79.486 ms
1408 bytes from 151.101.65.67: icmp_seq=1 ttl=58 time=79.114 ms
If I correctly set MSS below, should I see this pings at all ?


/caps-man channel
add name=default save-selected=no
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment=Server
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge name=vlan-4 vlan-id=4
add interface=bridge name=vlan-5 vlan-id=5
add interface=bridge name=vlan-14 vlan-id=14
add interface=bridge name=vlan-15 vlan-id=15
add interface=bridge name=vlan-16 vlan-id=16
add interface=bridge name=vlan-17 vlan-id=17
add interface=bridge name=vlan-20 vlan-id=20
add interface=bridge name=vlan-80 vlan-id=80
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=internal-datapath vlan-id=15 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=guest-datapath vlan-id=16 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=iot-datapath vlan-id=14 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=camera-datapath vlan-id=20 vlan-mode=use-tag
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=iot-vpn-datapath vlan-id=17 vlan-mode=use-tag
/caps-man rates
add name=default
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=internal-security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=guest-security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=camera-security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=iot-vpn-security
/caps-man configuration
add channel=default datapath=internal-datapath mode=ap name=internal rates=default security=internal-security ssid=*snip*
add channel=default datapath=guest-datapath mode=ap name=guest rates=default security=guest-security ssid=*snip*
add channel=default datapath=camera-datapath name=camera rates=default security=camera-security ssid=*snip*
add channel=default datapath=iot-vpn-datapath installation=indoor name=iot-vpn rates=default security=iot-vpn-security ssid=*snip*
/interface list
add name=WAN
add name=CONTROL
add name=INSIDE
add name=WAN_BACKUP
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
add address=*snip*/32 exchange-mode=ike2 name=*snip*
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256 dpd-interval=30s dpd-maximum-failures=3 enc-algorithm=aes-128 hash-algorithm=sha256 proposal-check=strict
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-128-cbc pfs-group=ecp256
/ip pool
add comment=Management name=vlan-80-pool ranges=10.0.80.100-10.0.80.200
add comment=Camera name=vlan-20-pool ranges=10.0.20.100-10.0.20.200
add comment=WiFi name=vlan-15-pool ranges=10.0.15.100-10.0.15.200
add comment="Guest WiFi" name=vlan-16-pool ranges=10.0.16.100-10.0.16.200
add comment=IOT name=vlan-14-pool ranges=10.0.14.100-10.0.14.200
add comment="Servers pool" name=vlan-4-pool ranges=10.0.4.100-10.0.4.200
add comment="Isolated Servers Pool" name=vlan-5-pool ranges=10.0.5.100-10.0.5.200
add comment="IOT VPN" name=vlan-17-pool ranges=10.0.17.100-10.0.17.200
/ip dhcp-server
add address-pool=vlan-80-pool interface=vlan-80 lease-time=1h name=vlan-80-dhcp
add address-pool=vlan-20-pool interface=vlan-20 lease-time=1h name=vlan-20-dhcp
add address-pool=vlan-15-pool interface=vlan-15 lease-time=1h name=vlan-15-dhcp
add address-pool=vlan-16-pool interface=vlan-16 lease-time=1h name=vlan-16-dhcp
add address-pool=vlan-14-pool interface=vlan-14 lease-time=1h name=vlan-14-dhcp
add address-pool=vlan-4-pool interface=vlan-4 lease-time=1h name=vlan-4-dhcp
add address-pool=vlan-5-pool interface=vlan-5 lease-time=1h name=vlan-5-dhcp
add address-pool=vlan-17-pool interface=vlan-17 lease-time=1h name=vlan-17-dhcp
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 3 bsd-syslog=yes remote=10.0.4.27 remote-port=10514 syslog-facility=local0 syslog-time-format=iso8601
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=internal slave-configurations=guest,camera,iot-vpn
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3 pvid=80
/ip neighbor discovery-settings
set discover-interface-list=CONTROL
/ip settings
set allow-fast-path=no
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether3 vlan-ids=80
add bridge=bridge comment=camera tagged=ether1,bridge vlan-ids=20
add bridge=bridge tagged=ether1,bridge vlan-ids=15
add bridge=bridge tagged=ether1,bridge,ether2 vlan-ids=16
add bridge=bridge tagged=ether1,bridge vlan-ids=14
add bridge=bridge tagged=ether2,bridge vlan-ids=4
add bridge=bridge tagged=ether2,bridge vlan-ids=5
add bridge=bridge comment="IOT VPN" tagged=ether1,bridge vlan-ids=17
/interface list member
add interface=ether4 list=WAN
add interface=ether1 list=INSIDE
add interface=bridge list=CONTROL
add interface=ether5 list=WAN_BACKUP
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.0.80.222/24 comment="Management network" interface=vlan-80 network=10.0.80.0
add address=10.0.20.222/24 comment="Camera network" interface=vlan-20 network=10.0.20.0
add address=10.0.15.222/24 comment="WiFi network" interface=vlan-15 network=10.0.15.0
add address=10.0.16.222/24 comment="Guest WiFi network" interface=vlan-16 network=10.0.16.0
add address=10.0.4.222/24 comment="Servers network" interface=vlan-4 network=10.0.4.0
add address=10.0.14.222/24 comment="TV WiFi" interface=vlan-14 network=10.0.14.0
add address=10.0.5.222/24 comment="Isolated Servers" interface=vlan-5 network=10.0.5.0
add address=10.0.17.222/24 comment="IOT VPN" interface=vlan-17 network=10.0.17.0
/ip cloud
set update-time=no
/ip dhcp-client
add default-route-distance=10 interface=ether5 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether4 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.4.0/24 comment="Servers DHCP" dns-server=10.10.1.1 domain=*snip* gateway=10.0.4.222 ntp-server=10.0.4.222
add address=10.0.5.0/24 comment="Isolated Servers DHCP" dns-server=208.67.222.222,208.67.220.220 domain=*snip* gateway=10.0.5.222
add address=10.0.14.0/24 comment="TV WiFi" dns-server=10.0.14.222 domain=*snip* gateway=10.0.14.222 ntp-server=10.0.14.222
add address=10.0.15.0/24 comment=WiFi dns-server=10.10.1.1 domain=*snip* gateway=10.0.15.222 ntp-server=10.0.15.222
add address=10.0.16.0/24 comment="Guest WiFi" dns-server=10.0.16.222 domain=*snip* gateway=10.0.16.222 ntp-server=10.0.16.222
add address=10.0.17.0/24 comment="IOT VPN" dns-server=208.67.222.222,208.67.220.220 gateway=10.0.17.222 ntp-server=10.0.17.222
add address=10.0.20.0/24 comment=Camera dns-server=10.0.20.222 domain=*snip* gateway=10.0.20.222 ntp-server=10.0.20.222
add address=10.0.80.0/24 caps-manager=10.0.80.222 comment=Management dns-server=10.10.1.1 domain=*snip* gateway=10.0.80.222 ntp-server=10.0.80.222
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=10.0.4.8 name=*snip*
/ip firewall address-list
add address=10.0.80.0/24 list=management
add address=10.0.20.0/24 list=camera
add address=5.2.74.156 comment="SSH Access from outside" list=admin
add address=10.0.4.0/24 list=servers
add address=10.0.4.5 list=*snip*
add address=10.0.15.0/24 list=wifi
add address=10.0.4.11 list=*snip*
add address=10.0.5.0/24 list=isolated
add address=10.0.5.1 list=*snip*
add address=10.0.80.8 list=*snip*
add address=10.0.4.20 list=*snip*
add address=109.167.144.131 list=*snip*
add address=10.0.4.8 list=*snip*
add address=10.0.17.0/24 list=iot-vpn
add address=10.0.14.0/24 list=iot
add address=10.0.15.10 list=*snip*
add address=10.0.16.0/24 list=guest
add address=10.0.0.0/8 list=local
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input icmp-options=8:0-255 protocol=icmp src-address-list=local
add action=accept chain=input dst-port=161 protocol=udp src-address-list=*snip*
add action=accept chain=input dst-port=53,123 protocol=udp src-address-list=local
add action=accept chain=input dst-address=10.0.80.222 dst-port=80,22 protocol=tcp src-address-list=management
add action=accept chain=input dst-address=10.0.80.222 dst-port=5246,5247 protocol=udp src-address-list=management
add action=accept chain=input dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=admin
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=Ipsec ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward comment="Servers can access printer" dst-address-list=*snip* src-address-list=servers
add action=accept chain=forward comment="Management can access local network" dst-address-list=local src-address-list=management
add action=accept chain=forward comment="Resources access" dst-address-list=*snip* dst-port=3260 protocol=tcp src-address-list=local
add action=accept chain=forward dst-address-list=*snip* dst-port=25,143,587 protocol=tcp
add action=accept chain=forward dst-address-list*snip* dst-port=443 protocol=tcp
add action=accept chain=forward dst-address-list=*snip* dst-port=1688 protocol=tcp
add action=accept chain=forward disabled=yes dst-address-list=*snip* dst-port=1194 protocol=udp
add action=accept chain=forward comment="SNMP collector" dst-port=161 protocol=udp src-address-list=*snip*
add action=accept chain=forward comment="Inter VLAN" dst-address-list=servers in-interface=vlan-15 out-interface=vlan-4
add action=accept chain=forward comment="Internet access" in-interface=vlan-4 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-5 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-14 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-15 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-16 out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.2.222 in-interface=vlan-80
add action=accept chain=forward in-interface=vlan-15 out-interface=vlan-20
add action=accept chain=forward in-interface=vlan-15 out-interface=vlan-5
add action=drop chain=forward comment="Default drop" in-interface=vlan-20 out-interface-list=WAN
add action=drop chain=forward in-interface=vlan-80 out-interface-list=WAN
add action=drop chain=forward
/ip firewall mangle
add action=change-mss chain=forward dst-address=0.0.0.0/0 log=yes new-mss=1300 passthrough=yes protocol=tcp src-address=10.0.80.0/24 tcp-flags=syn tcp-mss=!0-1350
add action=mark-connection chain=forward disabled=yes ipsec-policy=in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward disabled=yes ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list=external_ip dst-port=25,143,587 in-interface-list=WAN protocol=tcp to-addresses=10.0.4.5
add action=dst-nat chain=dstnat dst-address-list=external_ip dst-port=443 protocol=tcp to-addresses=10.0.4.11
add action=dst-nat chain=dstnat disabled=yes dst-address-list=external_ip dst-port=1194 in-interface-list=WAN protocol=udp to-addresses=10.0.5.1
add action=dst-nat chain=dstnat dst-address=10.0.4.20 dst-port=162 protocol=udp to-addresses=10.0.4.20 to-ports=8162
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=digital-signature certificate=*snip* peer=*snip*
/ip ipsec policy
add action=none dst-address=10.0.0.0/16 src-address=10.0.0.0/16
add action=none disabled=yes dst-address=192.168.2.0/24 src-address=10.0.80.0/24
add action=none disabled=yes dst-address=5.2.74.156/32 src-address=10.0.0.0/16
add dst-address=5.2.74.156/32 level=unique peer=*snip* src-address=10.0.4.0/24 tunnel=yes
add dst-address=10.0.0.0/8 level=unique peer=*snip* src-address=10.0.4.0/24 tunnel=yes
add dst-address=10.10.1.1/32 level=unique peer=*snip* src-address=10.0.15.0/24 tunnel=yes
add dst-address=0.0.0.0/0 level=unique peer=*snip* src-address=10.0.17.0/24 tunnel=yes
add dst-address=0.0.0.0/0 level=unique peer=*snip* src-address=10.0.80.0/24 tunnel=yes
/ip route
add check-gateway=ping disabled=no distance=10 dst-address="" gateway=109.167.144.129 routing-table=main suppress-hw-offload=no
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=109.167.144.129 pref-src="" routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both
/snmp
set enabled=yes location=Garage
/system identity
set name=jumpgate
/system logging
add action=remote topics=firewall
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-ip-address=88.198.248.254/32 only-headers=yes

Who is online

Users browsing this forum: bkuyk1 and 46 guests