Unusable speed Mikrotik-ExpressVPN(L2TP)
So quickly I need some advice. Did a set up L2TP client to ExpressVPN all works but the speed is very slow basically unusable, broadband speed is 70Mbps not much but Tunnel speed drops to something like 3-to10Mbps but the thing that looks like it has connection gaps or DNS problems as connectivity times to sites are crazy and speed is waving a lot from 10Mbps to 0 Mbps. Configuration is done following other topics how to set up Mikrotik to VPN provider . SO VPN client , nat rule mangle rule and routing roule.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
Traffic going through a VPN can not be fasttracked so please check if your traffic is not fasttracked.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
ok maybe my question will be too silly but how I should make that LAN witch goes via VPN is not fast-tracked while all other traffic going not via VPN is fast-tracked, thanks for the advice in advance.Traffic going through a VPN can not be fasttracked so please check if your traffic is not fasttracked.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
This done in Mangle by Mark routing in your case. Then only fasttrack traffic that is not marked to be routed through that VPN connection.
Only mark new traffic for fasttracking.
BTW they also support IKEv2 which is much better. You can follow the NordVPN instructions. You have to find out which root certificate ExpressVPN is using and load that in the router.
Only mark new traffic for fasttracking.
BTW they also support IKEv2 which is much better. You can follow the NordVPN instructions. You have to find out which root certificate ExpressVPN is using and load that in the router.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
Could you type in example rules as I got lost a bit, my vpn is based on these 3 rules:This done in Mangle by Mark routing in your case. Then only fasttrack traffic that is not marked to be routed through that VPN connection.
Only mark new traffic for fasttracking.
BTW they also support IKEv2 which is much better. You can follow the NordVPN instructions. You have to find out which root certificate ExpressVPN is using and load that in the router.
• Set up Mikrotik NAT rule
○ /ip firewall nat
/add action=masquerade out-interface=xxx chain=srcnat
• Set up Mikrotik Mangle rule
○ /ip firewall mangle
/add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no \ src-address=192.168.x.x/24 comment=xxx
• Set up Mikrotik routing rule
○ /ip route
/add dst-address=0.0.0.0/0 gateway=xxx routing-mark=vpn
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
Yeh IKEv2 would better but at first, I want to understand snd this to the end, as if I disable FastTrack on firewall I'm getting a 60Mbps out of 70 and this is amazing just need to sort out with fastracking.BTW they also support IKEv2 which is much better. You can follow the NordVPN instructions. You have to find out which root certificate ExpressVPN is using and load that in the router.
IKEv2 would be even more secure but L2TP will do the job as this is only for changing location (IP TV ) traffick.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
I am missing your fasttrack line.
Simplified it should read:
If not routing-mark=vpn and connection is new then fasttrack. Not is written as ! in ROS.
An other option is also. Marking routing not going to the next line by disabling passtrough in the action tab. Then only traffic which is not marked will reach the next lines.
It is not strange to use both option so if one fails the other still in place.
As with fasttracking you only have to mark new connections.
Simplified it should read:
If not routing-mark=vpn and connection is new then fasttrack. Not is written as ! in ROS.
An other option is also. Marking routing not going to the next line by disabling passtrough in the action tab. Then only traffic which is not marked will reach the next lines.
It is not strange to use both option so if one fails the other still in place.
As with fasttracking you only have to mark new connections.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no src-address=192.168.x.x/24 comment=xxx connection-state=new
add action=fasttrack-connection routing-mark=vpn connection-state=new
If you switch to IKEv2 the you double the speed of 70 MBit/s to around 130MBit/s if your router can encode/decode that fast.
For IKEv2 you need a certificate ant it is a PITA to find since RouterOS does not check it for itself and depends on it's store. And I think you need this root certificate from Sertigo (Comodo):
https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM
Download and import it in /certificate.
To find the correct certificate I make a dummy connection and look in the log and then I have to find that specific root certificate on the site of the owner:
add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no src-address=192.168.x.x/24 comment=xxx connection-state=new
add action=fasttrack-connection routing-mark=vpn connection-state=new
If you switch to IKEv2 the you double the speed of 70 MBit/s to around 130MBit/s if your router can encode/decode that fast.
For IKEv2 you need a certificate ant it is a PITA to find since RouterOS does not check it for itself and depends on it's store. And I think you need this root certificate from Sertigo (Comodo):
https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM
Download and import it in /certificate.
To find the correct certificate I make a dummy connection and look in the log and then I have to find that specific root certificate on the site of the owner:
You do not have the required permissions to view the files attached to this post.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
Second line what chain i should use prerouting or forwarding/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no src-address=192.168.x.x/24 comment=xxx connection-state=new
add action=fasttrack-connection routing-mark=vpn connection-state=new
If you switch to IKEv2 the you double the speed of 70 MBit/s to around 130MBit/s if your router can encode/decode that fast.
For IKEv2 you need a certificate ant it is a PITA to find since RouterOS does not check it for itself and depends on it's store. And I think you need this root certificate from Sertigo (Comodo):
https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM
Download and import it in /certificate.
To find the correct certificate I make a dummy connection and look in the log and then I have to find that specific root certificate on the site of the owner:
cert.JPG
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
You use prerouting for that.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
ok seems to be got it working going to implement to corporate now/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no src-address=192.168.x.x/24 comment=xxx connection-state=new
add action=fasttrack-connection routing-mark=vpn connection-state=new
If you switch to IKEv2 the you double the speed of 70 MBit/s to around 130MBit/s if your router can encode/decode that fast.
For IKEv2 you need a certificate ant it is a PITA to find since RouterOS does not check it for itself and depends on it's store. And I think you need this root certificate from Sertigo (Comodo):
https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM
Download and import it in /certificate.
To find the correct certificate I make a dummy connection and look in the log and then I have to find that specific root certificate on the site of the owner:
cert.JPG
will update soonRe: Unusable speed Mikrotik-ExpressVPN(L2TP)
OK, all looks like ok, I just modified a bit both rules by adding incoming VPN interface in connection mark rule and it started working like a charm, past rough on both. Thank you kindly for your help I really appreciate it. It was good to learn something new./ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=vpn passthrough=no src-address=192.168.x.x/24 comment=xxx connection-state=new
add action=fasttrack-connection routing-mark=vpn connection-state=new
If you switch to IKEv2 the you double the speed of 70 MBit/s to around 130MBit/s if your router can encode/decode that fast.
For IKEv2 you need a certificate ant it is a PITA to find since RouterOS does not check it for itself and depends on it's store. And I think you need this root certificate from Sertigo (Comodo):
https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM
Download and import it in /certificate.
To find the correct certificate I make a dummy connection and look in the log and then I have to find that specific root certificate on the site of the owner:
cert.JPG
Just for the sake do I need to add extra security on the firewall for VPN client connection?
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
You have to treath all traffic the same and use the same protection.
That traffic is coming through a VPN makes it not more secure.
If you use a VPN we do that on connection level and what goes out comes back on the same connection and need not separate rules. Unasked traffic coming in are mostly from previous connections by other people and is not meant for you. Think about bittorent traffic.
Connection tracking (statefull firewall) is to be trusted in this.
That traffic is coming through a VPN makes it not more secure.
If you use a VPN we do that on connection level and what goes out comes back on the same connection and need not separate rules. Unasked traffic coming in are mostly from previous connections by other people and is not meant for you. Think about bittorent traffic.
Connection tracking (statefull firewall) is to be trusted in this.
-
-
aanjaneyam
just joined
- Posts: 1
- Joined:
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
@msatter can you please confirm that the root CA certificate in the above URL posted by you works. Also could you please help me by describing the way to find the URL in Mikrotik log if it changes in future.For IKEv2 you need a certificate ant it is a PITA to find since RouterOS does not check it for itself and depends on it's store. And I think you need this root certificate from Sertigo (Comodo):
https://comodoca.my.salesforce.com/sfc/ ... xjSo7katcM
Download and import it in /certificate.
To find the correct certificate I make a dummy connection and look in the log and then I have to find that specific root certificate on the site of the owner:
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
Is it possible for someone to write from A to Z how to set ExpressVPN?
Thanks
Thanks
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
Hi everybody. I have a speed problem. I setup l2tp vpn without ipsec and it connect ok with my VPN provider Privatevpn. Problem is speed. My internet connection is 70 mb. When I connect using VPN outside mikrotik speed is 20 mb. But when I connect through mikrotik speed is 1 mb or less. I stop FastTrack and it get a little better, like 2 or mb. Strange is that upload is always the same. 9 mb. Upload is always better than download. I use mangle(prerouting) action=mark routing new-routing-mark = vpn no passthrough
Please help im getting crazy how can I get a better vpn performance.
Please help im getting crazy how can I get a better vpn performance.
Re: Unusable speed Mikrotik-ExpressVPN(L2TP)
Hi pichincha,Hi everybody. I have a speed problem. I setup l2tp vpn without ipsec and it connect ok with my VPN provider Privatevpn. Problem is speed. My internet connection is 70 mb. When I connect using VPN outside mikrotik speed is 20 mb. But when I connect through mikrotik speed is 1 mb or less. I stop FastTrack and it get a little better, like 2 or mb. Strange is that upload is always the same. 9 mb. Upload is always better than download. I use mangle(prerouting) action=mark routing new-routing-mark = vpn no passthrough
Please help im getting crazy how can I get a better vpn performance.
which RB are you using?