VPN tunnels massively slows down if high network traffic
-
So what's with this: VPN tunnels massively slows down if high network traffic
-
@derelict
you are right. as i am on vacation and hve closely monitored it yesterday the assumption is, that it is not caused by high trafficunfortunately it happens now every 5 minutes if my wife and me are working
-
Pretty much nothing on pfSense can make an echo reply take a second to get back to you.
-
If you have gateway monitoring on WAN (the default setting), the system is automatically keeping track of two pings per second in Status > Monitoring.
From there select settings, change the left axis to Quality / WANGW (or the local equivalent).A good place to start with Options: 8 hours, Resolution: 1 minute.
Another place to check is in Status > System Logs, Gateways. Any events there with "Alarm" in them are times when the ping monitor had excessive loss or latency.
A failure will look something like this: Jan 7 15:05:31 dpinger WANGW 8.8.8.8: Alarm latency 0us stddev 0us loss 100%
Lines like this are just the dpinger process starting or reloading and are normal:
dpinger send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.4.4 bind_addr 198.51.0.16 identifier "DSLGW "Sometimes it is beneficial to change your monitoring address to something further out. In that example you can see that I am monitoring a google DNS server there. In general, monitoring the ISP gateway is fine if it reliably responds to pings. Changes to the monitor IP address can be made in System > Routing and editing the appropriate gateway.
-
thanks a lot.
I am pinging outside dns server. the monitoring itself works. With the latency issues comes the issue, that the internet can hardly be used (or even worse)
-
Right. Look at the historical quality graph.
-
-
That delay is abysmal.
Now add the right axis, Traffic, WAN
-
-
OK so there is no traffic reason for the delay.
At first glance I'd say your ISP/Your ISP circuit is having serious problems.
-
depending on the current situation, that i have massive problems at the moment I would assume that as an option as well ...
just wanted to make sure that there is no config error
-
There is nothing in pfSense that can send an echo request out WAN and delay the echo reply 1200ms before it arrives on WAN.
-
I have found out what the issue is. The cheap f*** internet gateway router detects a sync flood and slows down the interface ...
So I will get a fritzbox as a Modem instead of this thing.
as a workaround I have disabled all VPN Clients and only use the wan gw. hopefully it will not get to much on my nerves until this evening
-
Nice, that will do it!
You can't disable that? Or tune it? I assume you mean 'SYN flood' which this is not. Something that is a modem only is a better option though I agree.
Steve
-
Auto correct did the syn“c“ ;)
This isp Router cannot tweak anything ...
Unfortunately today there are no good modems (stand alone) are available. So another Router where no router is really needed
-
@paoloest said in VPN tunnels massively slows down if high network traffic:
Unfortunately today there are no good modems (stand alone) are available. So another Router where no router is really needed
Sure there are, for (V)DSL you can use the Draytek Vigor 165 for example. For cable it depends on your provider.
-
@grimson said in VPN tunnels massively slows down if high network traffic:
Draytek Vigor 165
thanks a lot. have seen this, but it costs more then the fritzbox 7530 - the pros of the fritzbox for me were that the modem (with the same specs) is build in and I can have one more security layer. (and with the fritzbox I can fine tune the parameters)
would you choose the modem over the router?
-
@paoloest said in VPN tunnels massively slows down if high network traffic:
would you choose the modem over the router?
When using pfSense, always. Double-NAT just adds useless complexity and the pfSense devs are a lot faster in fixing security issues than the AVM devs.
-
And beyond the pfsense there is a Sophos utm for one subnet and an xg for Another.
So maybe no bad idea to leave one layer of complexity ;)
-
You guys actually have VDSL2+? No jealousy here!
Otherwise the V130 would likely be cheaper.
Steve
-
@stephenw10
Sounds like another +1 for the vigorVdsl2+ - 3 weeks to go
-
@stephenw10 said in VPN tunnels massively slows down if high network traffic:
You guys actually have VDSL2+? No jealousy here!
Not to bad for a little village in the hills. Real fiber would be nicer, but that's not going to happen anytime soon here.
Edit: this is with a current link uptime of 6 weeks.
-
Nice!
-
Today the vigor will arrive and I am prepared to set it up ;)
One question: if it runs as a modem via pppoe and the connection is initiated by the pfsense. How can you dial in the webinterface of the modem? (The wan Interface has no ip in subnet of modem)
Do you have one vlan (7) as Gateway vlan and another as a Management vlan with static ip in the vigor subnet?
-
One method:
https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html