Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense IPSEC LAN to LAN VPN: low bitrate output by iperf2

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 490 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mauro.tridici
      last edited by

      Dear Users,

      I just activated an IPSEC LAN2LAN VPN in order to connect two private subnets belonging to two different sites.
      Connection between the endpoints has been established correctly, the workstations belonging to the two different private subnets can ping each other.
      The two sites are interconnected by a 1Gb link and the iperf test integrated in pfSense (between the WAN addresses of the two pfSense instances) returned the expected values
      Please note that this test doesn't involve the IPSEC VPN tunnel.

      [ ID] Interval Transfer Bitrate Retr Cwnd
      [ 5] 0.00-1.00 sec 101 MBytes 844 Mbits/sec 38 226 KBytes
      [ 5] 1.00-2.00 sec 107 MBytes 898 Mbits/sec 17 174 KBytes
      [ 5] 2.00-3.00 sec 104 MBytes 870 Mbits/sec 42 227 KBytes
      [ 5] 3.00-4.00 sec 103 MBytes 868 Mbits/sec 31 313 KBytes
      [ 5] 4.00-5.00 sec 105 MBytes 879 Mbits/sec 14 203 KBytes
      [ 5] 5.00-6.00 sec 102 MBytes 854 Mbits/sec 36 254 KBytes
      [ 5] 6.00-7.00 sec 104 MBytes 875 Mbits/sec 15 217 KBytes
      [ 5] 7.00-8.00 sec 105 MBytes 879 Mbits/sec 50 143 KBytes
      [ 5] 8.00-9.00 sec 102 MBytes 856 Mbits/sec 30 227 KBytes
      [ 5] 9.00-10.00 sec 107 MBytes 898 Mbits/sec 19 271 KBytes

      [ ID] Interval Transfer Bitrate Retr
      [ 5] 0.00-10.00 sec 1.02 GBytes 872 Mbits/sec 292 sender
      [ 5] 0.00-10.09 sec 1.01 GBytes 864 Mbits/sec receiver

      iperf Done.

      BUT, when I try to make an iperf test between the hosts belonging to the different subnets (involving the VPN tunnel), I can see a very low bitrate value:

      iperf2 -c 192.168.201.11

      Client connecting to 192.168.201.11, TCP port 5001
      TCP window size: 325 KByte (default)

      [ 3] local 192.168.202.12 port 43102 connected with 192.168.201.11 port 5001
      [ ID] Interval Transfer Bandwidth
      [ 3] 0.0-10.0 sec 375 MBytes 315 Mbits/sec

      Both the pfSense instances have the same (basic) IPSEC configuration:

      Phase 1:
      AES, 128bits, SHA1,DH 14 (2048 bits)

      Phase 2:
      ESP,AES 128bits, SHA1 hash algorithm, PFS key group 14(2048 bits)

      Both the pfSense instances have the following interfaces:

      WAN with the public IP
      LAN with the private IP for management needs
      OPT1 with the private IP to reach the private subnet

      WAN interface has MTU = 1500
      LAN interface has MTU = 1500
      OPT1 interface has MTU = 9000

      I read in some other threads that MTU and MSS can be modified accordingly, but since I'm a newbie, I didn't understand which interface settings should be modified and how and why I have to do it (if is it really needed).

      Could you please help me to improve the performance of the IPSEC VPN?

      Thank you in advance,
      Mauro

      1 Reply Last reply Reply Quote 0
      • M
        mauro.tridici
        last edited by

        Anyone already experienced and solved this issue?

        Additional info:
        both the pfsense instances are running on two VMware ESXi virtual machines (each one has 4 cores + 4GB RAM)

        Mauro

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.