Добрый день!
Я новичок в этом деле, прошу помощи. В общем, история такова. Настроил на роутере L2TP клиент для обхода блокировок сайтов. Промаркировал трафик и в таблицу забил адреса, при обращении к которым трафик будет перенаправляться в впн туннель. Суть проблемы в следующем - если я нахожусь в локальной сети роутера (подключен с телефона по wifi), то долго грузятся сайты (напр., инстаграм - взял для проверки). Но, если я с телефона, подключенного к wifi микротика подключусь к этому же роутеру через впн, то скорость сразу взлетает - начинают нормально грузится сайты. Подскажите, в чем может быть причина? Гугл ничего не дал.
Долго грузятся сайты через L2TP, но только внутри локальной сети роутера.
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва
Предлагаете угадать, не имея никаких технических данных о том, что и как вы там настроили?
Ок.
Если в маршрутизации клиентов wifi и внутреннего VPN нет никаких различий, то проблема может быть в неверно указанном MTU для внешнего VPN: например на внутреннем VPN MTU меньше, и он нормально пролезает и во внешний, а вот пакеты с обычным 1500 - не лезут.
Но все-таки лучше приложите конфиг.
Ок.
Если в маршрутизации клиентов wifi и внутреннего VPN нет никаких различий, то проблема может быть в неверно указанном MTU для внешнего VPN: например на внутреннем VPN MTU меньше, и он нормально пролезает и во внешний, а вот пакеты с обычным 1500 - не лезут.
Но все-таки лучше приложите конфиг.
Telegram: @thexvo
-
teset71
- Сообщения: 2
- Зарегистрирован: 14 май 2023, 12:19
Пробовал понизить MTU wifi - результата не дало. Но при небольшом снижении MTU у внешнего впн скорость загрузки немного увеличилась, но все же не так, если подключиться к роутеру по впн.
# may/14/2023 11:57:27 by RouterOS 7.9
# software id = 8II8-E0BS
#
# model = RBD53iG-5HacD2HnD
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
add name=bridge_guest
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=russia4 disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=Alabama wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=russia4 disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=Alabama wireless-protocol=\
802.11
/interface l2tp-client
add connect-to=46.149.77.69 dial-on-demand=yes disabled=no name=\
RKN use-ipsec=yes use-peer-dns=yes user=vpnuser
/ip ipsec policy group
add name=l2tp
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms="aes-256-c\
bc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des"
/ppp profile
add name=L2TP
/routing table
add disabled=no fib name=VPN_RKN
/user group
set read policy="local,ftp,read,winbox,!telnet,!ssh,!reboot,!write,!policy,!te\
st,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/interface l2tp-server server
set default-profile=L2TP enabled=yes use-ipsec=required
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=instagram.com list=VPN
add address=rutor.info list=VPN
add address=147.75.208.0/20 list=VPN
add address=185.89.216.0/22 list=VPN
add address=31.13.24.0/21 list=VPN
add address=31.13.64.0/19 list=VPN
add address=31.13.96.0/19 list=VPN
add address=45.64.40.0/22 list=VPN
add address=66.220.144.0/20 list=VPN
add address=69.63.176.0/20 list=VPN
add address=69.171.224.0/19 list=VPN
add address=74.119.76.0/22 list=VPN
add address=102.132.96.0/20 list=VPN
add address=103.4.96.0/22 list=VPN
add address=129.134.0.0/16 list=VPN
add address=157.240.0.0/16 list=\VPN
add address=173.252.64.0/18 list=VPN
add address=179.60.192.0/22 list=VPN
add address=185.60.216.0/22 list=VPN
add address=204.15.20.0/22 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment=guest_local_drop connection-state=new \
dst-address=192.168.4.0/24 src-address=192.168.250.0/24
add action=drop chain=forward connection-state=new disabled=yes dst-address=\
192.168.4.0/24 src-address=192.168.42.0/24
add action=accept chain=input comment=ssh_accept dst-port=7120 protocol=tcp
add action=accept chain=input comment=winb_accept dst-port=8291 protocol=tcp
add action=accept chain=input comment=VPN dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=add-src-to-address-list address-list=ssh_round1 \
address-list-timeout=2m chain=input comment=sshguard connection-state=new \
dst-port=7120 protocol=tcp
add action=add-src-to-address-list address-list=ssh_round2 \
address-list-timeout=2m chain=input connection-state=new dst-port=7120 \
protocol=tcp src-address-list=ssh_round1
add action=add-src-to-address-list address-list=ssh_round3 \
address-list-timeout=1m chain=input connection-state=new dst-port=7120 \
protocol=tcp src-address-list=ssh_round2
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w chain=input connection-state=new dst-port=7120 \
protocol=tcp src-address-list=ssh_round3
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=VPN \
new-routing-mark=VPN_RKN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=RKN_NE_PROIDET
add action=dst-nat chain=dstnat disabled=yes dst-port=1701,500,4500 \
in-interface=bridge protocol=tcp to-addresses=192.168.42.10
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=RKN \
pref-src="" routing-table=VPN_RKN scope=30 suppress-hw-offload=no \
target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=VPN_RKN table=\
VPN_RKN
# may/14/2023 11:57:27 by RouterOS 7.9
# software id = 8II8-E0BS
#
# model = RBD53iG-5HacD2HnD
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
add name=bridge_guest
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=russia4 disabled=no distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=Alabama wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=russia4 disabled=no distance=indoors frequency=\
auto installation=indoor mode=ap-bridge ssid=Alabama wireless-protocol=\
802.11
/interface l2tp-client
add connect-to=46.149.77.69 dial-on-demand=yes disabled=no name=\
RKN use-ipsec=yes use-peer-dns=yes user=vpnuser
/ip ipsec policy group
add name=l2tp
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms="aes-256-c\
bc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des"
/ppp profile
add name=L2TP
/routing table
add disabled=no fib name=VPN_RKN
/user group
set read policy="local,ftp,read,winbox,!telnet,!ssh,!reboot,!write,!policy,!te\
st,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/interface l2tp-server server
set default-profile=L2TP enabled=yes use-ipsec=required
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=instagram.com list=VPN
add address=rutor.info list=VPN
add address=147.75.208.0/20 list=VPN
add address=185.89.216.0/22 list=VPN
add address=31.13.24.0/21 list=VPN
add address=31.13.64.0/19 list=VPN
add address=31.13.96.0/19 list=VPN
add address=45.64.40.0/22 list=VPN
add address=66.220.144.0/20 list=VPN
add address=69.63.176.0/20 list=VPN
add address=69.171.224.0/19 list=VPN
add address=74.119.76.0/22 list=VPN
add address=102.132.96.0/20 list=VPN
add address=103.4.96.0/22 list=VPN
add address=129.134.0.0/16 list=VPN
add address=157.240.0.0/16 list=\VPN
add address=173.252.64.0/18 list=VPN
add address=179.60.192.0/22 list=VPN
add address=185.60.216.0/22 list=VPN
add address=204.15.20.0/22 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment=guest_local_drop connection-state=new \
dst-address=192.168.4.0/24 src-address=192.168.250.0/24
add action=drop chain=forward connection-state=new disabled=yes dst-address=\
192.168.4.0/24 src-address=192.168.42.0/24
add action=accept chain=input comment=ssh_accept dst-port=7120 protocol=tcp
add action=accept chain=input comment=winb_accept dst-port=8291 protocol=tcp
add action=accept chain=input comment=VPN dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=add-src-to-address-list address-list=ssh_round1 \
address-list-timeout=2m chain=input comment=sshguard connection-state=new \
dst-port=7120 protocol=tcp
add action=add-src-to-address-list address-list=ssh_round2 \
address-list-timeout=2m chain=input connection-state=new dst-port=7120 \
protocol=tcp src-address-list=ssh_round1
add action=add-src-to-address-list address-list=ssh_round3 \
address-list-timeout=1m chain=input connection-state=new dst-port=7120 \
protocol=tcp src-address-list=ssh_round2
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w chain=input connection-state=new dst-port=7120 \
protocol=tcp src-address-list=ssh_round3
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=VPN \
new-routing-mark=VPN_RKN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=RKN_NE_PROIDET
add action=dst-nat chain=dstnat disabled=yes dst-port=1701,500,4500 \
in-interface=bridge protocol=tcp to-addresses=192.168.42.10
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=RKN \
pref-src="" routing-table=VPN_RKN scope=30 suppress-hw-offload=no \
target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=VPN_RKN table=\
VPN_RKN
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва