Hello
I am pulling my hairs here about this for week and I have to few hair left, so ..

Problem is extremely low speed through ipsec (l2l) from local network while all other traffic is fast.
Connectivity to internet is over pppoe.
Router seems to have proper public IP address.
Speed through ipsec from remote network to router seems reasonable fast considering it is over scp protocol.

What is unreasonably bad is when any computer on local network tries open any connection to remote network over ipsec. Speed is just few kb or stalled completely. Connections are mostly CIFS or MSSQL

I am aware that there is different MTU on pppoe connections and I've tried to compensate in mangle table, but it doens't help, see below.


# 2024-04-19 10:30:36 by RouterOS 7.14.1
# software id = 6HYY-P8AI
#
# model = RB4011iGS+


config:
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=<someuser>
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

/ip address/print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
;;; defconf
0 172.30.38.1/24 172.30.38.0 bridge
1 D 91.192.35.203/32 10.222.222.222 pppoe-out1

/ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAv 0.0.0.0/0 pppoe-out1 1
DAc 10.222.222.222/32 pppoe-out1 0
DAc 172.30.38.0/24 bridge 0

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,aes-128-ctr,aes-128-gcm

#Policy suppose to encrypt traffic to three networks (172.30.40.0/24, 172.18.0.0/16, 172.30.0.0/16), all other should leave to internet.
/ip ipsec policy
add action=none dst-address=172.30.38.0/24 src-address=172.30.38.0/24
add dst-address=172.30.40.0/24 level=unique peer=<some_peer_name> src-address=172.30.38.0/24 tunnel=yes
add dst-address=172.30.0.0/16 level=unique peer=Nagano src-address=172.30.38.0/24 tunnel=yes
add dst-address=172.18.0.0/16 level=unique peer=Nagano src-address=172.30.38.0/24 tunnel=yes

/ip firewall nat
add action=accept chain=srcnat dst-address=172.30.40.0/24 src-address=172.30.38.0/24
add action=accept chain=srcnat dst-address=172.18.0.0/16 src-address=172.30.38.0/24
add action=accept chain=srcnat dst-address=172.30.0.0/16 src-address=172.30.38.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN


#here I try to compensate in mangle table
/ip firewall mangle
add action=change-mss chain=forward connection-state=new dst-address=172.30.0.0/16 new-mss=1350 passthrough=yes protocol=tcp src-address=172.30.38.0/24 tcp-flags=syn
add action=change-mss chain=forward connection-state=new dst-address=172.18.0.0/16 new-mss=1350 passthrough=yes protocol=tcp src-address=172.30.38.0/24 tcp-flags=syn

/interface/pppoe-client/monitor pppoe-out1
status: connected
uptime: 11h30m11s
active-links: 1
encoding:
service-name: service1
ac-name: Ervenice
ac-mac: 6C:3B:6B:5C:99:C5
mtu: 1480
mru: 1492
local-address: 91.192.35.203
remote-address: 10.222.222.222
local-ipv6-address: fe80::f9db:422e:0:e
remote-ipv6-address: fe80::f0:9b

#I can see some hits on magle table too.
/interface> /ip firewall/mangle/print stats
Flags: X - DISABLED; D - DYNAMIC
Columns: CHAIN, ACTION, BYTES, PACKETS
# CHAIN ACTION BYTES PACKETS
;;; special dummy rule to show fasttrack counters
0 D prerouting passthrough 18 065 351 476 20 423 108
;;; special dummy rule to show fasttrack counters
1 D forward passthrough 18 065 351 476 20 423 108
;;; special dummy rule to show fasttrack counters
2 D postrouting passthrough 18 065 351 476 20 423 108
3 X forward clear-df 30 690 023 100 253
4 forward change-mss 19 500 375
5 forward change-mss 0 0



I have this setup on many other routers and it works just fine, except this one, others have standard router ipv4 public IP.
Seems problem occurs only during forward from LAN to ipsec tunnel and I suspect it is because of MTU, but why change-mss is not working?

Should I change MTU/MRU on interface instead ?
Thank you very much in advance for any insight.
Regards
Miroslav Okrina

I have some small update - scp copy to mikrotik hdd over VPN goes fast as it should, which is weird,
All other traffic from stations on LAN in other direction is going bad, including sql and cifs.

I've tried to apply MTU limitations to bridge, after that also to physical ports on bridge, then I've tried to apply MTU to pppoe interface. All of that had minimal or zero effect.

What I am missing ?