Hi, I am using a Starlink Bussiness with public IP, to create a VPN between a Mikrotik to a FG1500D.
Without the VPN on the, a laptop connected to the Mikrotik on site can reach 250/50 Mbps (Minimum 80/15 Mbps); but with the VPN Stablished the speed down to maximim 15/10 Mbps.
The connection is
Laptop <--> Mikrotik RB960 <--> Starlink <--> Internet <--> F1500D <--> Internet
I tried changing the MTU, but nothing happen, I know that satellite system use tcp spoofing optimization techniques, but i cant confirm with starlink if thta feature is on his plattform and if this affect the VPN.
Somebody had the same issue?
Thanks in advanced
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
When you say VPN as the cause, it's pretty much either software performance on the client side or performance on the FortiGate/Server side as I said before. Overhead in between is fixed and limited, and shouldn't that much.
If IPsec VPN, I wouldn't suspect the client side. If SSL VPN, it would be more impacted by client because it needs to go through entire TCP/IP protocol stack on the machine in addition to encryption/decription.
Your FortiGate admin person should be able to locally connect a client over VPN, or at least very close, then test internet performance when user's all internet bound traffic comes over the tunnel and get through the FortiGate to reach the internet. And likely be able to recreate the problem.
Toshi
Hi @Vinnyard
What is your forticlient version ? What is your Fortigate HW and Software version ? Can you share a little bit about your network ?
We will make a test based on your information. Thanks
Regards
Bill
Hello.
I have the same problem too.
I am using a residential starlink connection.
I have done the following test (all with the same client and server IP and the same server port):
- I test against a public ip where I have deployed the librespeed service (https://github.com/librespeed/speedtest). With that config I get good speed values 100Mbps/20Mbps.
- But if instead of the librespeed I put an iperf (using the same IP and the same port) the speed is much lower (19Mbps/8Mbps)
could it be that QoS is being applied at layer 7?
Regards.
Hello Bill.
My firewall have the last firmware avaliable, but I think that this issue is not dependant on firewall.
The test I've made show that the speed is good if I use HTTP protocol, but It is worse if I use iperf only with StarLink. With another Internet conection this not happen.
Have you made similar test with both app (http and iperf) against the same server and port? are your results similar to mine?
Regards.
Hi @Jorpoz
I think you should test the 2 cases to compare :
1. Test iperf3 UDP mode.
2. Test iperf3 TCP mode with MSS 1440.
Regards
Bill
Hello @BillH_FTNT
I've done the test just now.
I get the same result with both config (udp and tcp with MSS 1440), the max speed I get is 20Mbps.
I suposse that is a starlink problem, but I cannot prove it.
Regards
Hi @Jorpoz
Hi
The way to verify Starlink is to capture wireshark from your client, incoming firewall, and outgoing firewall. Then you check one packet flow in 3 files pcap to know where the drop packets are and where the retransmissions are. Therefore, you can prove that Starlink is not.
HTH
Bill
with ipsec vpnm You should try to set vpn tcp-mss on mikrotik to 1200 to see if this help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.