Is this possible with pfSense?
-
Yeah that's what I was afraid of. OpenVPN doesn't take the interface down when it's disconnected, so it sees "up" and doesn't take it out of the lagg.
Curious if you "ifconfig ovpnc2 down" if it would work.
-
Just tested that, the ping still failsโฆ
When I do an 'ifconfig ovpnc2 up' it all comes back up again and the graphs show equal distribution of traffic.
-
It probably has to be downed on both ends then (server and corresponding client)
-
You are right, that seems to work.
Is there an easy way I could test throughput gain?ย I'm running all this in VMWare so no real Internet connection.ย I've just got the WAN's going through seperate vSwitches.
-
If you have a client behind each firewall, you could run iperf between them, but if it's all on the same ESX box it would be hard to tell.
Can't you rate limit switch ports on ESX? You could perhaps limit each one to something like 1Mbit/s and see what happens more clearly.
-
Not sure if switch ports can be rate limited on a standard vSwitch.
What if I change the WAN interfaces on the client firewall to 10Mbps full duplex and then run iperf?
-
That might help so long as your ESX box is actually capable of passing 40+Mbit/s through it like that. I was aiming lower so the effect would be easier to see without having to potentially come near the limits of the actual hardware involved.
I can set speed and loss % on VMWare workstation switch ports, so I imagine ESX should be able to do the same, perhaps on the client VM and not on the vswitch.
-
Could I ask how I would make one of the networks behind my server firewall available to the OpenVPN client?
This is the first time i've worked with TAP so a little unsure.
I have added a new NIC on my server firewall, IP 192.168.1.2, assigned this to OPT3 and uplinked this to an unused vSwitch, along with a Windows VM on the same subnet that will run the iperf server.ย I have also created an allow all firewall rule on OPT3.
I have bridged the OPT3 interface in my OpenVPN server setup but from the client I cannot ping 192.168.1.2.
-
On the 10.99.99.2 side, add a gateway of 10.99.99.1. Then static route for the remote subnet pointing to 10.99.99.1
Do the opposite on the other end. Add static routes for any networks you want to reach.
-
Hi Jim,
Struggling to progress this further as it doesnt look like you can change the switch port speed in ESXi 5. I guess VMWare Workstation is intended more for development hence the reason for including that feature.
I did try setting the WAN interfaces on the client to 10mbps but the Interfaces widget still reports them as gigabit.ย I ran two iperf tests, one with the interfaces set to 'auto' and the other with them set to 10mbps. The results we pretty much the same.
On another note, i noticed that by just clicking 'save' in the OpenVPN config screen (with nothing changed), upsets the lagg and the pings start failing. By opening the lagg configuration and hitting save, the pings start replying again.
Is this a feature thats on the roadmap for a future release? If the bandwidth test is promising would you say there is much work involved in getting the failover features to work?
-
Not sure really. It's something we'd like to see working (VPN Bonding) but lagg may not be the most efficient way to get that done in the long run. It's just been a topic lately since zeroshell is doing it that way.
Reconfiguring the lagg as needed may not be difficult to add in the backend but it seems like there are quite a few issues with doing it that way that may end up making it not really feasible to use.
Another way we'd mentioned is doing MLPPP over the tunnels to bond them but that could be even more of a challenge.
