Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Slow peering = slow IPsec. Any way to route around?

    Scheduled Pinned Locked Moved General pfSense Questions
    1 Posts 1 Posters 316 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SpaceBass
      last edited by

      Hey friends,
      This is more of a general networking and WAN question but since all the endpoints involved are pfSense, I thought I'd throw myself on the mercy of this group :)

      For a while I've been trying to nail down some slow IPsec performance.

      For a while, I was getting almost full line speed between my two servers outside of my tunnel. Now, it seems, I am not. And that's remained consistent.

      My two external servers are both on OVH's networks: one in canada and one in france. My 'home' location is San Francisco. San Francisco is on a symmetrical gig fiber line. Canada and France both have 250mbs connections.

      I've also spun up a digital ocean droplet in San Francisco for testing. Let's call it Digitalocean.

      Here's what I'm seeing using iperf3 (I've tested with iperf3 running on my SG-4860 directly and on a host behind the firewall. The results are the same).

      These are all outside of the tunnel

      canada <–> San Francisco: 22.9 Mbits/sec
      france <--> San Francisco: 22.7 Mbits/sec

      canada <--> digitalocean: 146 Mbits/sec
      france <--> digitalocean: 136 Mbits/sec

      digitalocean <--> san francisco: 537 Mbits/sec

      If I'm betting >100mbs between digital ocean's S.F. location and from that digital ocean droplet to my S. F. pfSense I get >500mbs...can I use that to my advantage somehow?

      I'm thinking I need to solve this before I got back to troubleshooting my IPsec issues :)

      So, here's my questions....

      1. is it reasonable to assume that I have a peering and/or external routing issue?
        1.5) is it reasonable to assume if thats true it is, generally, out of my control?
      2. if both of those are true, could I do something with a digital ocean or similar VPS to route between these remote servers and my san francisco location? I'm thinking something with less overhead than a 2nd IPsec tunnel...maybe just a simple proxy?
      3. is there a better way to skin this proverbial cat?
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.