Performance mystery with PIA on pfsense
-
Glad to help you. Please let us know if it worked out.
-
Of course! Thank you again. :)
-
pfSense 2.3.2. using PIA with 2 OpenVPN clients combined in one Gateway Group (PIA could not deliver coding/decoding speed with one connection).
Get full ISP speed (500/500 Mbit) with CPU load of ~30%
Hardware: intel i5-3450
VPN- AES-256-CBC
- SHA256
- fast-io;
- sndbuf 524288;
- rcvbuf 524288
- Hardware acceleration enabled.
- 2 fixed (same country as client) IP adresses for PIA.
So it should not be PIA restricted, seems CPU restricted.
Could you please explain the steps you took to set this up? I'm lost on how you grouped the 2 vpn connections?
Still learning pfsense stuff. And this would probably help others also.
Thanks
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
I think I can manage :o if not I'll keep you posted. Thanks for you time with this I appreciate it.
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
Im lost in the firewall rules. I dont see the gateway group?
thanks
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
Im lost in the firewall rules. I dont see the gateway group?
thanks
If you can see the group you've created in Status>Gateways>Gateway Groups, you also should see it in the Advanced Options of the firewall rule you're going to modify.
-
First make sure you have 2 operational VPN client connections. Test both of them with firewall rules and check if you can browse pages an check the IP adres.
After that: System -> routing -> Gateway groups. Add new gateway groep and select both VPN-client interfaces as Tier 1. Give the new gateway group a name and save it.
Now you can select this new gateway in your firewall rules and let the traffic flow :)@pigbait: Does this answer your question?
Im lost in the firewall rules. I dont see the gateway group?
thanks
If you can see the group you've created in Status>Gateways>Gateway Groups, you also should see it in the Advanced Options of the firewall rule you're going to modify.
What is the location under the firewall I want to modify that's what I don't understand. I can follow system>routing>gateway groups. I made the group then I don't understand what I need to do or where to go in the firewall rules.. sorry I'm a complete noob…
Also my group under status shows offline? Not sure if that's normal till the firewall rules are set.
-
@pigbait
Have you enabled the VPN connections, one per gateway? If yes, your gateway group should be online.
So you should go to Firewall>Rules>LAN and in the field "Gateway" of the "Advanced Options" of the pass rule that your devices are using to go out (eg "Default allow LAN IPv4 to any rule"), you should select the gateway group. -
With a benchmark like that I would have expected about 100 Mbps in download.
I regret not being able to help you more.
The only thing I can add to the info about my settings is that I'm running the 2.3.2 stable version.
If you will solve the issue, I'd like to read the adopted solution.
CheersBack at it. With two clients I can reach about 120Mbps in a speed test. At that point, my CPU shows 0% idle in top. So, I just took possession of an Athlon 5350 to replace the Sempron 2650. That will give me four cores at 2GHz instead of two at 1.45GHz. Additionally, I'm replacing the laptop drive with an SSD. (not that that has any bearing on OpenVPN, just doing it while I'm taking the box down for an upgrade). Will report back.
-
Thanks for your time. but i must be missing something and your going to start thinking I'm stupid. :o :o :o… I have taken screen shots of what I have
First off I setup 2 PIA vpn connections following this guide. ( https://www.privateinternetaccess.com/forum/discussion/21875/ ).... they both connect and get PIA IP addresses. afterward I take both VPN interfaces and make a group but for some reason they don't show as online... but the vpn is working as my PC's report the PIA IP addresses.
these are the screen shots of what I think is important for you to help me with...
Thanks for you time and patience its very well appreciated honestly... I feel bad being that annoying guy...
![Openvpn status.png](/public/imported_attachments/1/Openvpn status.png)
![Openvpn status.png_thumb](/public/imported_attachments/1/Openvpn status.png_thumb)
![VPN clients.png](/public/imported_attachments/1/VPN clients.png)
![VPN clients.png_thumb](/public/imported_attachments/1/VPN clients.png_thumb)
![gateway status.png](/public/imported_attachments/1/gateway status.png)
![gateway status.png_thumb](/public/imported_attachments/1/gateway status.png_thumb)
![group status.png](/public/imported_attachments/1/group status.png)
![group status.png_thumb](/public/imported_attachments/1/group status.png_thumb)
![Firewall LAN rules.png](/public/imported_attachments/1/Firewall LAN rules.png)
![Firewall LAN rules.png_thumb](/public/imported_attachments/1/Firewall LAN rules.png_thumb)
![System status.png](/public/imported_attachments/1/System status.png)
![System status.png_thumb](/public/imported_attachments/1/System status.png_thumb) -
With a benchmark like that I would have expected about 100 Mbps in download.
I regret not being able to help you more.
The only thing I can add to the info about my settings is that I'm running the 2.3.2 stable version.
If you will solve the issue, I'd like to read the adopted solution.
CheersBack at it. With two clients I can reach about 120Mbps in a speed test. At that point, my CPU shows 0% idle in top. So, I just took possession of an Athlon 5350 to replace the Sempron 2650. That will give me four cores at 2GHz instead of two at 1.45GHz. Additionally, I'm replacing the laptop drive with an SSD. (not that that has any bearing on OpenVPN, just doing it while I'm taking the box down for an upgrade). Will report back.
Ciao whosmatt,
thanks for the report, really appreciated!
Managing to pass from 70Mbps to 120Mbps confirms that the M_Devil's method works and that it will save me a bit of money when I'll make the line's upgrade. :)
Now your situation seems definitely a CPU performance problem, so I think you made the right choice going to an Athlon 5350.
Please keep us updated! -
Thanks for your time. but i must be missing something and your going to start thinking I'm stupid. :o :o :o… I have taken screen shots of what I have
First off I setup 2 PIA vpn connections following this guide. ( https://www.privateinternetaccess.com/forum/discussion/21875/ ).... they both connect and get PIA IP addresses. afterward I take both VPN interfaces and make a group but for some reason they don't show as online... but the vpn is working as my PC's report the PIA IP addresses.
these are the screen shots of what I think is important for you to help me with...
Thanks for you time and patience its very well appreciated honestly... I feel bad being that annoying guy...
Ciao pigbait,
I compared our settings and did not find anything unusual. In the past also my gateways were offline, I solved with a new installation of pfSense. On the forum you will find some threads about it, with different solutions, you are not alone in this situation. In any case my connections had worked well and I understand that even yours are working in spite of this sort of "false positive."
The point is if you notice a performance improvement using two aggregates client instead of only one. Let us know, please. -
[
Ciao whosmatt,
thanks for the report, really appreciated!
Managing to pass from 70Mbps to 120Mbps confirms that the M_Devil's method works and that it will save me a bit of money when I'll make the line's upgrade. :)
Now your situation seems definitely a CPU performance problem, so I think you made the right choice going to an Athlon 5350.
Please keep us updated!
[/quote]With the 5350 I can reach full speed of my connection with a single client; around 150Mbps. Success!
-
Congratulations, well done!
May I boring you asking to repeat the test on the first page, when you'll have the time?
-
Congratulations, well done!
May I boring you asking to repeat the test on the first page, when you'll have the time?
Sure.. I get a theoretical max of 130Mbps
-
Thank you very much!
-
[
Ciao whosmatt,
thanks for the report, really appreciated!
Managing to pass from 70Mbps to 120Mbps confirms that the M_Devil's method works and that it will save me a bit of money when I'll make the line's upgrade. :)
Now your situation seems definitely a CPU performance problem, so I think you made the right choice going to an Athlon 5350.
Please keep us updated!
[/quote]With the 5350 I can reach full speed of my connection with a single client; around 150Mbps. Success!
Just want to update a bit… even though my speed tests show that my CPU can handle the throughput of my connection with a single client, I've found that with two clients, the speeds are much more stable throughout the day. I suppose this accounts for load and performance variations on PIA's end. And for the applications I use that really do use that much bandwidth, (Steam, for example) multiple connections are supported and so the throughput of my WAN connection is easy to max out and balance over two tunnels in a real world situation rather than just a speed test.
-
So I think I've been doing this right… I've got two VPN connections. I have then created an interface called PIAVPN and I put that interface into the outgoing NAT table under the WAN options... I then connected each of the VPN connections to PIAVPN under interfaces (assign) and proved that both of them are in fact working.
I then created a gateway group and put both of these interfaces into the gateway group as tier I.
I then changed my WIFI_TRUST subnet from the PIAVPN interface on the Outgoing NATt table to just "OpenVPN". I then also went into the WIFI_TRUST rules and changed the pass rules to use the new Gateway Group in Advanced Options.
At this point I then restarted all of the VPN services for double assurance.
As I then tested things from a client on the WIFI_TRUST subnet I found that all of my "what is my ip" tests came up as the VPN1 connection and the VPN2 connection never seemed to get used. I found that for some reason my console version of the speedtest.net test would no longer run reliably like it did when I was on each connection individually. I also found that when I was browsing the web that pages would take a bit longer to start loading and working. Kinda like if you had a slightly slow DNS server.
What might I be doing wrong or do I have incorrect expectations here? My understanding is that I should see my IP change on a per connection basis. Thus one "what is my ip" test should come up as Seattle and later after running a few I should see some come up as San Jose right? I also suspect that my speed tests would be the same for a single client but if I were to test on multiple clients I'd better be ale to take advantage of the CPUs and I'd get greater than the 50Mbit I get on a single core. I found that when using the gateway group its slightly lower throughput than when just linked up to the one connection direct.
Any help is greatly appreciated.
Oh and PS I'm on a D525 Atom chip (no AES-NI support dual core 1.8Ghz HT). 4GB of RAM. I can get as much as about 50Mbit with AES-128-CBC on a single thread. My connection is 120Mbit.
When I run the test mentioned on page 2 I get:
aes-256-cbc : real 56.15 : Theoretical of 56Mbit
aes-128-cbc : real 48.72 : Theoretical of 65MbitI'm actually using aes-128-cbc and I'm seeing around 50Mbit as my top speed and the CPU on the front page generally jumps to 48 or a full 50% while the speed test runs.
Thanks!
-
In short, using multiple tunnels is functionally equivalent to a multi-WAN setup, and if your tunnels are up and stable, there's no difference. There are some situations where it excels, some situations where it acts just like a single tunnel, and some situations where it breaks or at least is not ideal.
For example, your "what is my IP" tests will only ever show one of the two public IPs, and that is generally sticky in the short term but may change if you test again after a while. But it may not.
For a reliable speed test, try https://www.dslreports.com/speedtest. That will use both (or all if more than two) connections (and let you know via a proxy warning) that it did.
I have a lot of policy routing rules in my LAN ruleset to work around some of the possible issues that may occur with a multi-WAN/tunnel setup.
I'll try and respond in more detail later. It's late here.
Matt