IPSEC VPN Starlink speed issues

jcardenas · ‎06-05-2023

Hi, I am using a Starlink Bussiness with public IP, to create a VPN between a Mikrotik to a FG1500D.

Without the VPN on the, a laptop connected to the Mikrotik on site can reach 250/50 Mbps (Minimum 80/15 Mbps); but with the VPN Stablished the speed down to maximim 15/10 Mbps.

The connection is

Laptop <--> Mikrotik RB960 <--> Starlink <--> Internet <--> F1500D <--> Internet

I tried changing the MTU, but nothing happen, I know that satellite system use tcp spoofing optimization techniques, but i cant confirm with starlink if thta feature is on his plattform and if this affect the VPN.

Somebody had the same issue?

Thanks in advanced

Toshi_Esumi · ‎09-01-2023

When you say VPN as the cause, it's pretty much either software performance on the client side or performance on the FortiGate/Server side as I said before. Overhead in between is fixed and limited, and shouldn't that much.

If IPsec VPN, I wouldn't suspect the client side. If SSL VPN, it would be more impacted by client because it needs to go through entire TCP/IP protocol stack on the machine in addition to encryption/decription.

Your FortiGate admin person should be able to locally connect a client over VPN, or at least very close, then test internet performance when user's all internet bound traffic comes over the tunnel and get through the FortiGate to reach the internet. And likely be able to recreate the problem.

Toshi

BillH_FTNT · ‎12-06-2023

Hi @Vinnyard

What is your forticlient version ? What is your Fortigate HW and Software version ? Can you share a little bit about your network ?

We will make a test based on your information. Thanks

Regards

Bill

Jorpoz · ‎12-05-2023

Hello.

I have the same problem too.

I am using a residential starlink connection.
I have done the following test (all with the same client and server IP and the same server port):
- I test against a public ip where I have deployed the librespeed service (https://github.com/librespeed/speedtest). With that config I get good speed values 100Mbps/20Mbps.
- But if instead of the librespeed I put an iperf (using the same IP and the same port) the speed is much lower (19Mbps/8Mbps)
could it be that QoS is being applied at layer 7?

Regards.

BillH_FTNT · ‎12-06-2023

Hi @Jorpoz

What is your client and Firewall version ?

Regards/Bill

Jorpoz · ‎12-11-2023

Hello Bill.

My firewall have the last firmware avaliable, but I think that this issue is not dependant on firewall.

The test I've made show that the speed is good if I use HTTP protocol, but It is worse if I use iperf only with StarLink. With another Internet conection this not happen.

Have you made similar test with both app (http and iperf) against the same server and port? are your results similar to mine?

Regards.

BillH_FTNT · ‎12-11-2023

Hi @Jorpoz

I think you should test the 2 cases to compare :

1. Test iperf3 UDP mode.

2. Test iperf3 TCP mode with MSS 1440.

Regards

Bill

Jorpoz · ‎12-13-2023

Hello @BillH_FTNT
I've done the test just now.
I get the same result with both config (udp and tcp with MSS 1440), the max speed I get is 20Mbps.

I suposse that is a starlink problem, but I cannot prove it.

Regards

BillH_FTNT · ‎12-13-2023

Hi @Jorpoz

Hi
The way to verify Starlink is to capture wireshark from your client, incoming firewall, and outgoing firewall. Then you check one packet flow in 3 files pcap to know where the drop packets are and where the retransmissions are. Therefore, you can prove that Starlink is not.

HTH

Bill

amuda · ‎12-13-2023

Hi,

Have you tried to put a switch in between?

Amerul
APAC TAC

AntonyChen · ‎12-13-2023

with ipsec vpnm You should try to set vpn tcp-mss on mikrotik to 1200 to see if this help.