Solved: site-to-site pings ok only when not carrying useful traffic
-
I finally finished establishing a site-to-site link between two pfSense boxes. I used the example at https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_OpenVPN-connection_in_PfSense_2.1, which was a great help. My post notes a couple things that could be updated to make that example more applicable to recent releases.
I followed the guide as strictly as possible, except that since I have no need to NAT one LAN's traffic out the other's WAN, I didn't implement that part. It seemed to succeed when I was able to consistently ping addresses on each LAN from the other. But moving actual data (for example calling up the web GUI of one pfSense box from a browser at the other site) made the link drop nearly all packets. It resumed answering pings again only after the line was idle for 20 seconds or so. A static web page like the login page would eventually display. A page with constant ajax activity like the home page with traffic graphs would never display completely. I knew the internet connections were solid because a mobile OpenVPN connection–Windows client to pfSense server--worked perfectly.
A little more detail: one box is at 2.1-RELEASE (yeah, I need to upgrade that) corresponding to the example's instructions and screen shots perfectly. I made that one the server. The other box, my client, is at 2.3.4-RELEASE and had some different options that were not self-evident to set. I thought the adaptive compression might be the problem, but setting it to "Enabled without Adaptive Compression" did not solve the problem. Disabling compression on both sides did not help either. I initially tried a "Limit outgoing bandwidth" value on the client site, but removing it did not help. Nothing showed in the logs beyond successful connection process with the verbosity level set to 3 or 4.
I was about to give up and try IPSEC instead when I found the magic setting: Disable IPv6. When I brought the link up with that checked, everything worked perfectly.