I have two sites on opposite ends of the country, both have gigabit connections. I have PPTP VPNs configured on two RB3011 and it works fine, except for throughput. I’m able to get a max of 5mb each direction through the VPN. The CPU is only at 2% on each router as well. I’m convinced that the issue is probably the protocol.I know PPTP is not secure, which isn’t needed for this application. What would be best to try next?
I would recommend doing GRE Tunnel with IPsec. This will give you very fast VPN connections with the security of IPsec. IPsec by itself can be resource intensive causing slow downs.
Here is a good how-to I’ve used in the past to setup many GRE IPsec VPNs which work very well.
https://techsfair.com/2018/03/how-to-configure-mikrotik-site-to-site-gre-tunnel-with-ipsec.html
Edit: Stay away from PPTP. It’s been deemed insecure for a very long time and is not compliant with a lot of companies when it comes to technical audits.
If you’re trying to do SMB/CIF fileshares the speed is going to be shit due to the protocol itself not handling latency well. Best option is to use something else like FTP or HTTP instead. Past that you can try adjusting MSS values. Past that you can look at WAN Optimizers to spoof the ACK’s.
What is 4mb? A specific protocol or a raw throughput test?
This sounds like an application that doesn’t like 50ms of latency, not a tunnel issue. At least that would be my first thing to check.
Run some tests with something like iperf and see what your raw throughput is.
Using L2TP I can get 120mbps through a Hex S on a transatlantic link with about 100ms latency. Maybe more; that’s the line speed on the connection. So topping out at 5mbps with PPTP on a 3011 seems odd.
Check this guide types of VPN
of all the protocols thats about the lowest overhead.
Can you point me where to set this and/or what to set it to?
Yeah was doing SMB. But, 1Gb going down to 5mb? Thats a hell of a hit.
I’m measuring it via SMB file transfers. About to try SCP or FTP.
^This, had throughput issues on PPTP back in the day and dropping MTU helped.
Have since moved everyone to L2TP with ipsec and you probably should too for the sake of security.
That said on low end devices you’re better off with the throughput from pptp.
Yea I agree but its just how SMB works. Its extremely chatty and that is basically what crushes performance when latency is in the mix. Below is a good technet article explaining whats going on in the backend.
SMB is block access, while ftp and such are stream access. The first type works best with very low latencies. Yep, it may go THIS bad.
Maybe you should try other SMB software, I’ve read newer versions of protocol mitigate high latency problem somehow. For instance, RouterOS uses ancient SMB 1.0…
you can test it locally, just add the latency onto your network card artificially. Its pretty easy to do in linux.
Netbios over WAN is a big nono
Sure it’s not the most efficient but you should not be getting 0.5% of your bandwidth over a vpn.