Extremely poor speeds after 2.5.2 CE to 2.6 CE upgrade
-
Update: FALSE ALARM... I double checked overall network health and discovered the machine I was having issues with had a nic that had fallen-back to 100Mbit... Switched ports on my switch and downloads are back to expected speeds.
Thanks for the replies, appreciate the engagement.
-
@bpsdtzpw said in Extremely poor speeds after 2.5.2 CE to 2.6 CE upgrade:
No. I get ~500Mb/s up/down over OpenVPN on 2.6CE on a 1Gb/s fiber line using Celeron 3865U-based hardware. I haven't tested the non-VPN speed, but it's clearly >> 500Mb/s. Possibly you're having a NIC issue? FreeBSD seems to do well with Intel NICs, but maybe not others.
Lol, I get 60 MBit/s on a Celeron 3867U and 350 Mbit/s on a Threadripper 3970X, and I spent 2 days trying to improve the performance with no luck.
And by the way, on 2.4.5-p1 I got 350 Mbit/s on the 3867U, last time I tried. ^^
-
Test rig.
-
@thiasaef said in Extremely poor speeds after 2.5.2 CE to 2.6 CE upgrade:
Lol, I get 60 MBit/s on a Celeron 3867U
That's worse than you can get with the lowliest Atom. Something pretty seriously wrong in that setup if that's all it can pass. That or it's massively overloaded in some part of the path.
Steve
-
@stephenw10, yes, there is obviously something wrong. The symptoms are that the CPU load is relatively low (~ 16 %) and that there is no speed improvement when I disable the encryption entirely.
Here are some more details: https://forum.netgate.com/topic/154665/openvpn-slow-local-network-test/38?_=1646583954636
-
Oh, OK so you're only seeing those speeds over OpenVPN?
I misread that then. 60Mbps is still pretty bad though, assuming the latency over the tunnel allows more of course.
Steve
-
I also want to chime in here and say there is definitely something wrong with the codebase in 2.6. I have posted here and on Reddit with decent advice from the community but untimely still having a problem.
Site 2 Site VPN. Previously both firewalls on each side were OPNsense. iPerf test I would get great speeds. 100/100Mbps. I changed one site to Pfsense. The best I can do is 20Mbps. This isn't an MTU issue. Moved the device back to OPNsense and speeds are back up to 100Mbps during iPerf test. This is a vanilla IPsec turn-up. I tested throughput with IPsec and Wireguard and the results are the same. Low throughput. The problem is 100% on PFsense but no indication as to why. CPU util is very low. Memory util is very low. Basically, this system is oversized for this site. Was working without issue on OPNsense.
edit: Let me also be clear that this is for some reason only with Site 2 Site VPN. If I do Remote Access VPNs on a mobile client then I get very high throughput. A normal speedtest to the Internet at both sites reveal good throughput. Im not sure why but my low throughput is only affected when its a site2site set up either through IPsec or Wireguard.
-
And you don't see that if you use 2.5.2 at one end instead?
What did you do to determine it's not an MTU issue?
You have a link to a thread I can review?
Steve
-
@stephenw10
Its not MTU for these reasons;- Its not present with the OPNsense implementation with the MTU set for 1400 which is by default.
- Changing MTU values from 1300 to 1400 make no difference on the pfsense side.
-edit- - Testing MTU with icmp pings, I cam able to send up to 1472 bytes before the DF bit hits me and packets dropped. Tried on both Linux and Windows clients.
I did not try 2.5.2 prior to this. This is a clean install to 2.6. There were no previous configuration to restore.
https://www.reddit.com/r/PFSENSE/comments/sso59f/wireguard_throughput/
Im fully open to a Zoom tshooting session at this point.
-
@itwerks said in Extremely poor speeds after 2.5.2 CE to 2.6 CE upgrade:
find an official image
Just for reference, https://www.pfsense.org/download/, don't select an Architecture, and click Download, it will pull up a mirror with several versions.
backup would restore my certs and OpenVPN config
You probably can't restore to an earlier release but if you had a backup from before the upgrade (hint) just restore that.
-
@steveits thanks for the tip re old releases. Lesson learned.
