MTU issue? unable transmit large data



  • I've got openVPN running successfully. I can see all of the machines on the local network and communicate with them.

    The problem occurs when I try any kind of 'heavy' ssh traffic or 'heavy' samba traffic.
    With ssh I am able to log in and run basic commands (uptime, cd, top) without issue.  If I try an ls of a large directory I get maybe 1/3 through the listing and the output hangs(the location is fairly reproducible) it will continue eventually and takes about 2 minutes to run the entire command (according to the time command). If i run the same command and pipe the output to something off screen it takes less than 1 second to complete.

    With samba shares I can generally navigate through them but if I arrive at a folder with a large amount of (usually) large files everything slows way down, almost as if its hanging temporarily like with ssh. If I try to open a file i am unable to and the explorer window often becomes unresponsive.

    My research has led me to believe that it could be an issue with mtu size although I do not see mtu errors in the logs.

    Any help or advice would be greatly appreciated!!

    Setup:
    'road warrior' laptop(currently not firewalled) talking to a wrt54gl running ddwrt. This 'ap' is doing little more than dhcp; there is no wan connection to it. Its mtu size is set at 1500. The wifi is plugged into the wan port on a pfsense box. This box acts as a vpn endpoint for secure wifi access to the lan. There is another pfsense box with active wan points which provides internet access and other services to the lan.

    wifi clients -> wifi ap -> pfsense box 1 ->{lan servers, hardwired desktops} <-pfsense box 2 <-{internet}

    I can post logs/configs as needed.



  • Well i've been doing some more research…
    I am able to pull down large files (linux iso's, etc) at a speed reasonable for my wan connections via http.
    Skype works just fine. As does Google talk.

    I am unable to use windows remote desktop to connect to computers on the lan through the vpn.

    so what do ssh, samba and rdc have in common that http and skype don't?



  • I've found people with similar problems but from several years ago.
    see this thread:
    http://openvpn.net/archive/openvpn-users/2003-09/msg00038.html

    I've tried their suggestions about mtu sizes with no luck.

    does anyone have a working openvpn road warrior setup they would like to share?



  • i know that RDP is a TCP program and untill Pfsense is upgraded with a Wan Accelerator any thing that is "TCP Chatty" is going to be slower than ideal.

    i do have a working config but it is just the same as some of the Vanilla configs out there.

    also i have dual wans so i have the fail over retry config here

    float
    port 1194
    dev tun
    dev-node vpn
    #dev-node ovpn <-ovpn is the name of the renamed interface
    proto tcp-client
    remote ip.ad.dr.ess 1194
    remote ip.ad.dr.ess  1194
    resolv-retry 30
    ping 10
    persist-tun
    persist-key
    tls-client
    ca ca.crt
    cert cert.crt
    key key.key
    ns-cert-type server
    #comp-lzo <- to enable remove the #
    pull
    verb 4



  • @wjs:

    does anyone have a working openvpn road warrior setup they would like to share?

    pfSense config autocreated by the GUI:

    $ less /var/etc/openvpn_server0.conf
    writepid /var/run/openvpn_server0.pid
    #user nobody
    #group nobody
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    dev tun
    proto tcp-server
    cipher BF-CBC
    up /etc/rc.filter_configure
    down /etc/rc.filter_configure
    server 10.0.3.0 255.255.255.0
    client-config-dir /var/etc/openvpn_csc
    lport 1194
    push "dhcp-option DISABLE-NBT"
    ca /var/etc/openvpn_server0.ca
    cert /var/etc/openvpn_server0.cert
    key /var/etc/openvpn_server0.key
    dh /var/etc/openvpn_server0.dh
    comp-lzo
    persist-remote-ip
    float
    push "route 10.0.0.0 255.255.254.0"

    windows-client:
    client
    dev tun
    proto tcp
    remote myserver.mydomain.internet 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert dskt6624.crt
    key dskt6624.key
    ns-cert-type server
    cipher BF-CBC
    comp-lzo
    verb 3



  • Thanks chazers18 and GruensFroeschli for your replies.

    I don't see any major differences between your posts and mine. I'm thinking that I might have miss-configured something in the routing or nating on one of the boxes.

    As a follow up, RDC also 'kinda works'. I can connect to one machine (of the two that I tried so far). That being said the connection is unusable; it drops in and out, doesn't hardly refresh, and is unresponsive to input.

    I am thinking about merging the functionality of the two machines to see if that fixes this. It should simplify things at least…

    Oh well, wish me luck.


Locked