This is a comparison of the major MikroTik tunneling protocols. The values in the table below reflect the way that Mikrotik can handle these tunnels as opposed to how the tunnels might behave when in strict accordance with their respective standards. For example, as per the published standard L2TP is not an encrypted tunnel, but when used between two MikroTik routers the L2TP tunnel can use the same encryption as PPtP.
| Tunnel | Introduced |
Authentication Layer |
Port | Port can be changed |
Default MTU |
Authentication Protocols |
Encryption Protocols |
Encryption Level |
Clients can call home |
Bridging or BCP Supported |
| GRE | Oct 1994 | 3 | N/A | No | 1476 | N/A | N/A | None | No | No |
| IPIP | Oct 1996 | 3 | N/A | No | 1480 | N/A | N/A | None | No | No |
| VLAN | 1998 | 2 | N/A | No | 1500 | N/A | N/A | None | N/A | Yes |
| IPSEC | Nov 1998 | 3 | UDP 500 | Yes | N/A | None MD5 SHA1 SHA256 SHA512 |
None DES, 3DES, AES, Blowfish, Twofish, Camellia |
None, 64bits, 128bit, 192bit, 256bit |
Yes | No |
| PPPoE | Feb 1999 | 2 | N/A | N/A | 1480 | PAP CHAP MSCHAP v1 MSCHAP v2 |
None MPPE 40bit MPPE 128bit |
None or 40bit or 128bit |
N/A | Yes |
| PPtP | July 1999 | 3 | TCP 1723 | No | 1450 | PAP CHAP MSCHAP v1 MSCHAP v2 |
None MPPE 40bit MPPE 128bit |
None or 40bit or 128bit |
Yes | Yes |
| L2TP | Aug 1999 | 3 | UDP 1701 | No | 1450 | PAP CHAP MSCHAP v1 MSCHAP v2 |
None MPPE 40bit MPPE 128bit |
None or 40bit or 128bit |
Yes | Yes |
| OVPN | May 2001 | 3 | TCP 1194 | Yes | 1500 | None MD5 SHA1 |
None Blowfish 128 AES 128 AES 192 AES 256 |
None 128bit, 192bit, or 256bit |
Yes | Yes |
| EOIP | Sept 2002 | 3 | N/A | No | 1458 | N/A | N/A | None | No | Yes |
| SSTP | Jan 2007 | 3 | TCP 443 | Yes | 1500 | PAP CHAP MSCHAP v1 MSCHAP v2 TLS 1.0 |
None MPPE 40bit MPPE 128bit TLS 1.0 |
None or 40bit or 128bit or 256bit |
Yes | Yes |
All tunnels have an affect upon throughput. In the table below, I’ll show how much throughput is lost per tunnel type. These tests were not conducted to see what the max throughput between the routers could have possibly have been, but rather to show the loss of throughput when traversing a tunnel. The tests were conducted between two 8 port CRS routers running ROS 6.27. Each of the tunnels was using its highest encryption method. Your results will probably vary a little but the % of loss should be somewhat similar. A lower encryption standard should give more favorable results, but that won’t always be true.
Update 9-19-2018: ROS has made many improvements and these test results are not accurate anymore. Fast Track and other features can produce much higher throughput values then what was true in ROS 6.27. To test your tunnel, first do a bandwidth test between the IPs that are being used to connect the tunnel. Frequently, this will be the public IP address of the two routers. Then test between the IP addresses used on the tunnel to compare the results.
| Tunnel | Initial Bandwidth |
With Tunnel | % of Loss |
| GRE | 691M RX | 195M RX | 71.80% |
| IPIP | 691M RX | 204M RX | 70.50% |
| VLAN | 691M RX | 582M RX | 15.80% |
| IPSEC | 691M RX | 667M RX | 3.50% |
| PPPoE | 691M RX | 94M RX | 86.40% |
| PPtP | 691M RX | 61M RX | 91.20% |
| L2TP | 691M RX | 59M RX | 91.50% |
| OVPN | 691M RX | 29M RX | 95.90% |
| EOIP | 691M RX | 190M RX | 72.50% |
| SSTP | 691M RX | 29M RX | 95.80% |
MikroTik Manual Pages
Authentication/ Encryption Protocols
Hello,
Thanks you for this great chart !
which CRS devices are used for this test ? Do they have Hardware encryption support ?
Best regards.
Thanks! I used the CRS109-8G-1S-2HnD-IN and yes, they do have encryption support. I don’t believe that support covers everything, but I know that it does apply to IPSEC specifically.
Could you please share the config of you IPSec tunnel ?
What type of IPSEC tunnel are you looking for?
Talking about IPSec, how is it possible to encrypt traffic at such high speed? According to your results, there is almost no speed degradation comparing to initial BW
The reason for that is that IPSEC is able to utilize an encryption co-possessor on the router. Not all routers have that feature. If these had not, their throughput would have been much worse.
Thanks! Great comparison, very useful!