I have a very old MikroTik RB750Gr2 home router (720MHz QCA9556 CPU, 64MB RAM, QCA8337 switch chip and 5 gigabit ports). It was good, but lacked hardware encryption capacity. I built an OpenVPN server in a VPS provider and used it to connect my server for speeding up connection to Google.
Recently I subscribed to the NordVPN service to replace my home made OpenVPN server. And then to replace a new MikroTik router which has hardware encryption capacity. After review I think IPsec throughput of hEX (RB750Gr3) is enough to use up my 150Mbps broadband capacity.
Specification of hEX
- 880MHz MT7621A CPU/Switch SoC
- 256MB RAM
- 5 gigabit ports
- AES-CBC hardware encryption
Preloaded firewall rules
The OS of the MikroTik router is RouterOS. There are great changes on VLAN and IP routing/firewall on version 7, so I need to study using the new version of RouterOS.
Power on the router, in "Quick Set" set the router in "Router Mode" and enable "NAT", following firewall rules will be preload into the router.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
Theses firewall rules perform:
- on input or forward, allow packets in established, related or untracked connection states
- on input or forward, drop packets in invalid state
- accept icmp packets
- accept packets which destination is 127.0.0.1
- allow packets related to IPsec to forward
- forward packets in established, related or untracked connection states by using fasttrack routine
- drop any packets which to bind ports of router (e.g. ssh, http) from any WAN interface
- perform source NAT of packets forward from LAN interfaces to WAN interfaces
OpenVPN client
Although in version 7, the client does not use hardware encryption facilities, all done in software. The OpenVPN access of NordVPN is TLS Auth (tls-auth) enhanced, MikroTik claims RouterOS 7 supports this. After testing, the VPN connection can be established, but can not exchange any data.
IPSec/IKEv2 connection
I setup connection to NordVPN using this guide. Connection is established, but the router is in high CPU usage, low throughput and high latency (over 1 second). After reading forum posts, I found the following problems.
- packets which match IPsec policy cannot go through fasttrack routine
- MTU is less than 1500. This is the same case of PPPoE dial up connection on xDSL service
After correction, a connection can go up to 70-80Mbps (aes-128-cbc/sha1), but loading of one CPU thread rises to 100% (throughput is bound by this). If two connections are established, my 150Mbps broadband capacity can be used up. Although using hardware encryption,high CPU usage due to packets going through all firewall rules.
WireGuard/NordLynx connection
Users in MikroTik forum suggest using WireGuard when connecting to NordVPN. The WireGuard protocol will be used first by official NordVPN apps. WireGuard encryption is done by software, but packets can go through fasttrack routine to reduce router's CPU usage. After setup, a connection can go up to 80-100Mbps and loading of all 4 CPU threads go up 100%.
Top comments (0)