Community discussions

MikroTik App
 
PalenMa56
just joined
Topic Author
Posts: 2
Joined: Sun Oct 30, 2022 10:31 am

IPSec VPN performance issues

Sun Oct 30, 2022 10:41 am

Hello,

I'm new into Mikrotik world and I would really appreciate your help on my issues.
I believe that both issues are somewhat connected - but I can't find where is the misconfiguration.


Scenario:

This Mikrotik router RB1100AHx4 is located in our branch office. Internet connectivity in branch office is provided via fiber optics with PPPoE (simetric speed 60Mbs/60Mbs)
On our headquarter we have Fortigate firewall. Between Mikrotik and Fortigate we have IPSec VPN.

Behind the Mikrotik there are 3 internal LAN.
a) secure LAN 192.168.120.0/24 for company computers. These computers have access to Internet via IPSec VPN tunnel on headquarter site.
b) LAN 125 (guest LAN) - 192.168.125.0/24. Guest computers can reach Internet localy (local breakout) - via public IP of the Mikrotik.
c) LAN 126 (guest LAN) - 192.168.126.0/24. Guest computers can reach Internet localy (local breakout) - via public IP of the Mikrotik.

These local LANs must NOT see each other. Traffice between these LANs is prohibited (not allowed). This was tested and confirmed - no traffic is allowed between local LANs.
All of these requirements are already in place and configured. But I have 2 issues which I'm not able to solve.


Issue #1 - Access from LAN 192.168.120.0/24 to management IP (192.168.120.1) of Mikrotik router

a) I'm not able to ping IP 192.168.120.1 from localy (direct) connected network 192.168.120.0/24
b) I'm not able to access Mikrotik via IP 192.168.120.1 (SSH, WinBOx) from localy (direct) connected network 192.168.120.0/24
c) I can access Mikrotik (WinBox) from localy (direct) connected network 192.168.120.0/24 via MAC address of the Mikrotik
d) I'm able to access Mikrotik via public WAN IP 193.A.B.C (SSH, WinBOx) from remote public IP's (Remote Access)

I believe that security "hardening" was done too thoroughly.

Can you please help me and point me which rule (IP Firewall) should I change?


Issue #2 IPSec VPN performance issues

As far as I'can see we have performance issues on upload.

Done several speedtests on branch office site and download speed was max. 46 Mbs and upload speed was max. 13 Mbs.
I've changed MTU/MSS parameters quite a lot and this was best result.

a) Internet connectivity on branch office site is simetric 60Mbs/60Mbs (fiber optics with PPPoE)
This was tested several times. I hookup my laptop on ISP modem. Modem was in bridge mode. PPPoE client was my laptop. I've done several tests and speedtest was aprox. upload 58Mbs download 58Mbs - this means that ISP speed connectivity is OK.

b) I also tested speedtest on Mikrotik - access to Internet. Upload apox 58Mbs / download 58Mbs - this means that ISP speed connectivity is OK and that Mikrotik is not bottleneck.

c) Speed on headquarter site is 100Mbs/100Mbs (fiber optics without PPPoE). Done several speedtests and speed was aprox upload 97Mbs / download 97Mbs. This means that ISP connectivity is also OK.
MTU size on headquarter (Fortigate) on WAN and LAN interfaces 1500 bytes.
MTU size on VPN IPsec tunnel (on Fortigate firewall) 1438 (this was automatically configured by Fortigate)

d) For test reasons I temporarily moved Mikrotik in different physical location (another branch office with different ISP connectivity - fiber optics 60Mbs/60Mbs without PPPoE)
Speedtest on IPsec VPN tunnel were much better. Several tests shows much better results download 55Mbs / upload 55Mbs. I'm sure that issue is also not on HQ site on Fortigate.

e) Speedtests were done outside business hours.

I'm quite sure that issue is in MTU/MSS size. But I can't find which MSS size would give us max bandwidth performance on VPN IPsec tunnel.
Any ideas how to nail down this issue?

-----------------------------------------------------

# RouterOS 7.5
#
# model = RB1100Dx4

/interface bridge
add name=Bridge-LAN-120
add name=Bridge-LAN-126
add name=Bridge-WAN

/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=Bridge-WAN \
    max-mru=1492 max-mtu=1492 name=Telecom-PPPoE use-peer-dns=yes user=username123
    
/interface vlan
add interface=Bridge-LAN-120 name=vlan125 vlan-id=125

/disk
set sata1 disabled=no

/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec peer
add address=194.X.Y.Z/32 name=peer1

/ip ipsec profile
set [ find default=yes ] dh-group=modp1536 enc-algorithm=aes-256 \
    hash-algorithm=sha256 name=default123

/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1d name=\
    proposal1 pfs-group=modp1536

/ip pool
add name=dhcp_pool1 ranges=192.168.120.50-192.168.120.100
add name=dhcp_pool125 ranges=192.168.125.50-192.168.125.100
add name=dhcp_pool126 ranges=192.168.126.50-192.168.126.100

/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge-LAN-120 lease-time=12h name=\
    dhcp1
add address-pool=dhcp_pool126 interface=Bridge-LAN-126 lease-time=12h name=\
    dhcp126
add address-pool=dhcp_pool125 interface=vlan125 lease-time=12h name=dhcp125

/port
set 0 name=serial0
set 1 name=serial1

/interface bridge port
add bridge=Bridge-LAN-120 interface=ether3
add bridge=Bridge-LAN-120 interface=ether4
add bridge=Bridge-LAN-120 interface=ether5
add bridge=Bridge-LAN-120 interface=ether6
add bridge=Bridge-LAN-120 interface=ether7
add bridge=Bridge-LAN-120 interface=ether8
add bridge=Bridge-LAN-120 interface=ether9
add bridge=Bridge-LAN-120 interface=ether10
add bridge=Bridge-LAN-126 interface=ether11
add bridge=Bridge-LAN-126 interface=ether12
add bridge=Bridge-LAN-126 interface=ether13
add bridge=Bridge-WAN interface=ether1
add bridge=Bridge-WAN interface=ether2

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.120.1/24 interface=Bridge-LAN-120 network=192.168.120.0
add address=192.168.125.1/24 interface=vlan125 network=192.168.125.0
add address=192.168.126.1/24 interface=Bridge-LAN-126 network=192.168.126.0

/ip dhcp-server network 
add address=192.168.120.0/24 dns-server=192.168.30.50,192.168.30.51 gateway=\
    192.168.120.1
add address=192.168.125.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.125.1
add address=192.168.126.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.126.1

/ip dns
set cache-max-ttl=8h servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=accept chain=input comment="Remote Access 1" dst-address=193.A.B.C dst-port=8291 log=yes protocol=tcp src-address=194.X.Y.Z
add action=accept chain=input dst-address=193.A.B.C dst-port=22 log=yes protocol=tcp src-address=194.X.Y.Z
add action=accept chain=input dst-address=192.168.120.1 dst-port=8291 log=yes protocol=tcp src-address=194.X.Y.Z
add action=accept chain=input dst-address=192.168.120.1 dst-port=22 log=yes protocol=tcp src-address=194.X.Y.Z
add action=accept chain=input dst-address=193.A.B.C dst-port=8291 log=yes protocol=tcp src-address=192.168.30.0/24
add action=accept chain=input dst-address=193.A.B.C dst-port=22 log=yes protocol=tcp src-address=192.168.30.0/24
add action=accept chain=input dst-address=192.168.120.1 dst-port=8291 log=yes protocol=tcp src-address=192.168.30.0/24
add action=accept chain=input dst-address=192.168.120.1 dst-port=22 log=yes protocol=tcp src-address=192.168.30.0/24
add action=accept chain=input comment="Remote Access 2" dst-address=193.A.B.C dst-port=8291 log=yes protocol=tcp src-address=31.D.E.F
add action=accept chain=input dst-address=193.A.B.C dst-port=22 log=yes protocol=tcp src-address=31.D.E.F
add action=accept chain=input comment="Remote Access 3" dst-address=193.A.B.C dst-port=8291 log=yes protocol=tcp src-address=93.K.L.M
add action=accept chain=input dst-address=193.A.B.C dst-port=22 log=yes protocol=tcp src-address=93.K.L.M
add action=drop chain=input comment="Block Remote Access via SSH" dst-address=193.A.B.C dst-port=22 log=yes log-prefix=WinBox-SSH-Block-Access protocol=tcp
add action=drop chain=input comment="Block Remote Access via WinBox" dst-address=193.A.B.C dst-port=8291 log=yes log-prefix=WinBox-SSH-Block-Access protocol=tcp
add action=accept chain=input dst-address=0.0.0.0 protocol=tcp src-address=0.0.0.0
add action=accept chain=forward dst-address=0.0.0.0 protocol=tcp src-address=0.0.0.0
add action=drop chain=input dst-address=192.168.125.0/24 log=yes log-prefix=DROP-VLAN-ICMP-ALL protocol=icmp src-address=192.168.120.0/24
add action=drop chain=input dst-address=192.168.120.0/24 log=yes log-prefix=DROP-VLAN-ICMP-ALL protocol=icmp src-address=192.168.125.0/24
add action=drop chain=input dst-address=192.168.125.0/24 log=yes log-prefix=120->125 src-address=192.168.120.0/24
add action=drop chain=forward dst-address=192.168.125.0/24 log=yes src-address=192.168.120.0/24
add action=drop chain=input dst-address=192.168.120.0/24 log=yes src-address=192.168.125.0/24
add action=drop chain=forward dst-address=192.168.120.0/24 log=yes src-address=192.168.125.0/24

/ip firewall mangle
add action=change-mss chain=forward log=yes log-prefix=MSS new-mss=1382 out-interface=Telecom-PPPoE passthrough=yes protocol=tcp src-address=192.168.120.0/24 tcp-flags=syn tcp-mss=!0-1382

/ip firewall nat
add action=accept chain=srcnat dst-address=0.0.0.0/0 log=yes log-prefix=IPSEC src-address=192.168.120.0/24
add action=masquerade chain=srcnat out-interface=Telecom-PPPoE src-address=192.168.125.0/24
add action=masquerade chain=srcnat out-interface=Telecom-PPPoE src-address=192.168.126.0/24

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

/ip ipsec identity
add peer=peer1

/ip ipsec policy
add dst-address=0.0.0.0/0 peer=peer1 proposal=proposal1 src-address=192.168.120.0/24 tunnel=yes

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/system clock
set time-zone-name=Europe/Berlin

/system identity
set name=MK1100AHx4

/system ntp client
set enabled=yes

/system ntp client servers
add address=193.W.Z.X

/tool bandwidth-server
set authenticate=no enabled=no
Last edited by BartoszP on Sun Oct 30, 2022 11:01 am, edited 1 time in total.
Reason: use proper tags for quotting, code etc.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: IPSec VPN performance issues  [SOLVED]

Sun Oct 30, 2022 6:48 pm

You want this before your existing IPSec policy:
/ip ipsec policy
add action=none src-address=192.168.120.0/24 dst-address=192.168.120.0/24
You should also read something about stateful firewall. Check e.g. this and focus on "connection-state".

I don't know about performance.
 
PalenMa56
just joined
Topic Author
Posts: 2
Joined: Sun Oct 30, 2022 10:31 am

Re: IPSec VPN performance issues

Sat Nov 12, 2022 11:19 am

Hi Sob,


thank you very much for your answer. Your solution solved my issue regarding ping/Winbox reachability.
It seems that also IPsec performance is much better. Spped test shows DL: 40Mb/s and UL: 32Mb/s.

P.S.: sorry for may late feedback. Been away for last couple of weeks.

Who is online

Users browsing this forum: anav, Andrey05, ivicask and 84 guests