Hi all,

I recently bought a RB952Ui-5ac2nD (HAP AC lite) to connect the cottage to my home lab with a VPN. The home lab is running a 3011UiAS.

The cottage has a 100Mbps down and 15Mbps up link. The home lab has a 300/300Mbps link. I have around 100ms latency between the sites.

I was not expecting the HAP to be able to pass the whole 100Mbps in the VPN. But I was still expecting more than 4-5Mbps. Somewhere around 15-20 would have been perfect. CPU of the HAC never goes over 20%. The RB3011 doesn't even feel it.

I tried different VPN configuration (openvpn, l2tp/ipsec), I played with fasttrack (https://blog.johannfenech.com/mikrotik- ... ipsec-vpn/). Played with MTU. So far, nothing seems to have any impact.

Does anyone have any suggestion or were my expectations just too high?

Thanks for your help.

Like I mentioned here viewtopic.php?f=2&t=171995 I get about 21Mbits which is very low ...and have no Idea why is so slow :-)

Well, 21Mbps would be ok for me. But I'm far from getting that.

Ok, problem is clearly with IPsec.

If I disable IPsec and just go L2TP, I'm getting 40-42Mbps.

I would definitely prefer to keep the IPsec though....

Your router is not mentioned here: https://wiki.mikrotik.com/wiki/Manual:I ... celeration

So it means that you will get terrible performance. I would also suggest bypassing fasttrack (either by using "notrack" or "allowing" traffic before fastrack rule) and tuning MSS size might be required (which I believe is not).

You might get some hints here and here.

EDIT: So you say that performance penalty is mostly because of IPSEC. Your only option would be:

• No encryption at all
• Lower encryption = faster speeds and lower security
• Wireguard = should be fast and safe enough, but only in ROS7.

I know that the HAP ac lite doesn't have hardware acceleration for encryption. Which is why I was expecting much slower performance on encryption.

Still, with no dedicated ASIC for encryption, I was expecting the CPU to max out doing the encryption, but I'm still stuck at 5Mbps but with only 20-30% CPU usage.

I played with fast path, fasttrack and fast forward, couldn't see any impact on any change.

No matter what, I'll stay unencrypted for now. Most of the traffic going through that link will be encrypted anyway (ex.: https).

Thanks for the hints.

Just an additional note, I tried using low encryption (md5, des and modp768). I got as far as 7Mbps and 30% CPU usage. I don't know if these are the lowest encryption available on the Mikrotik though.

Through a Bandwidth Test, I get max 24Mbits over either OVPN / IPsec with a 100% CPU usage :-) ...

With IPSec and the hap lite I would max out at 8 mbps, but packets would drop so bad that users who's traffic was not using the IPSec tunnel would complain. So I had to limit my IPSec throughput to 3 to prevent dropped packets.

I upgraded to Hex and ran some tests, I can max out my internet speed over the IPSec tunnel now.

Worth noting, when I did have to transfer a lot of data over the hap lite IPSec VPN, I would set encryption to null to temporarily increase speeds.

Maybe the latency is forming the bottleneck. Can you test having both devices direct connected?