I would always set 'don't pull routes' personally. Otherwise you're at the mercy of whatever they want to send you, which is usually a new default route.
However if you don't pull routes from them you need to policy route the traffic you want via the VPN gateway.

Steve

Yes, it is official, I am stupid! 🙄

I use limiters and I had them also acting on my LAN interface! I've now updated the relevant firewall rule to only apply when "destination NOT LAN net." With that change, iperf is now back to normal.

Connecting to host 192.168.7.1, port 5201 [ 5] local 192.168.7.2 port 58164 connected to 192.168.7.1 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 74.1 MBytes 622 Mbits/sec 0 840 KBytes [ 5] 1.00-2.00 sec 70.0 MBytes 587 Mbits/sec 0 1.53 MBytes [ 5] 2.00-3.00 sec 70.0 MBytes 587 Mbits/sec 0 1.70 MBytes [ 5] 3.00-4.00 sec 71.2 MBytes 598 Mbits/sec 1 1.24 MBytes [ 5] 4.00-5.00 sec 70.0 MBytes 587 Mbits/sec 0 1.37 MBytes [ 5] 5.00-6.00 sec 70.0 MBytes 587 Mbits/sec 0 1.47 MBytes [ 5] 6.00-7.00 sec 70.0 MBytes 587 Mbits/sec 0 1.55 MBytes [ 5] 7.00-8.00 sec 70.0 MBytes 587 Mbits/sec 0 1.61 MBytes [ 5] 8.00-9.00 sec 70.0 MBytes 587 Mbits/sec 1 1.18 MBytes [ 5] 9.00-10.00 sec 70.0 MBytes 587 Mbits/sec 0 1.26 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 705 MBytes 592 Mbits/sec 2 sender [ 5] 0.00-10.02 sec 703 MBytes 588 Mbits/sec receiver iperf Done.

Thank you @johnpoz @stephenw10 for the hints and setting my mind on the right path.

@mohkhalifa said in pfSense on ESXi | Best Practices:

problem SOLVED after "Disabling hardware checksum offload"

Awesome. I poked around on a few of mine and didn't find any with that enabled. Mostly Dell hardware here. Good find.