Weird vpn bandwith pattern (both in OpenVPN and IKEv2)
-
after having used pfSense 2.x for several years on an alix apu, we had to replace the hardware due to a broken disk. the new machine is a rather beefy sun server. unfortunately, the vpn traffic seems broken in the incoming direction:
speed measurements (iperf):
- ipv4 direct connection: client -> server: ~800mbit (0% cpu)
- ipv4 direct connection: server -> client: ~800mbit (0% cpu)
- openvpn udp: client -> server: ~1.0mbit (0.1% cpu)
- openvpn udp: server -> client: ~128mbit (28% cpu)
- openvpn tcp: client -> server: ~1.1mbit (0.1% cpu)
- openvpn tcp: server -> client: ~199mbit (30% cpu)
- ikev2: client -> server: 2.2mbit (2% cpu)
- ikev2: server -> client: ~221mbit (32% cpu)
current setup
- topology: [client] – [1gbit/1gbit fiber] – [isp] – [1gbit/1gbit coper] – [pfsense] – [server]
- isp provides both ftth and our rack uplink, both are symmetrical gbit connections without rate limiting
- pfsense hardware: amd64 on sun fire x4100 m2 (2x amd opteron 2220 se 2.8 ghz dual core), 24g ram, 2x 73 sas drives; 2x 1g nvidia nforce, 2x 1g broadcom nextreme 82546eb
- pfsense config: v2.2.6 amd64, transparent bridge mode on em0 -> em1 (broadcom), vpn services configured on bridge
I'm currently out of ideas and would appreciate any pointers on where to look next. I have already tested the following things:
- disable hardware acceleration
- enforce the MTU
- enabled net.inet.ip.fastforwarding
- switched network ports (nvidia <-> broadcom)
-
Check that your interfaces are properly negotiating link speed/duplex; on both ends of each link.
A 100mbps Half-duplex link would produce what you're experiencing. -
Check that your interfaces are properly negotiating link speed/duplex; on both ends of each link.
A 100mbps Half-duplex link would produce what you're experiencing.pfsense reports:
BRIDGEIN interface (wan, em0) Media: 1000baseT <full-duplex>BRIDGEOUT interface (opt1, em1) Media: 1000baseT <full-duplex>LAN interface (lan, nfe0) Media: 1000baseT <full-duplex,flowcontrol,master,rxpause,txpause></full-duplex,flowcontrol,master,rxpause,txpause></full-duplex></full-duplex>
this matches the uplink and local switch port configurations.