Troubleshooting wan/openvpn Network Problems
-
I am using pf-sense 2.4.4 on a netgate SG-1100, configured for AirVPN. I have a tp-link, c2600 dumb AP for wireless, configured with OpenWRT 18.06.05. Up until a few weeks ago, my connection was perfect: AirVPN connection worked well at ~20+mbs download speed. Fine for my needs. Latency is bad, ~300+ms, but then again, I'm in China and it's ok for my needs.
Now, I am frequently experiencing the spinning wheel of frustration when I am streaming video on my Apple TV. 3-4 times of ~30 second 0 MBs download speeds in a 5-10 minute period is not uncommon. Because I like to "tinker" with my settings (I recently tried the 19.07 rc2 for OpenWRT), I'm thinking I did something to cause the problem. I have since reverted to the original OpenWRT settings I had (v 18.06.05) when all was working ok. Of course, I'm still running into the same problem now.
I'm thinking it may be traffic shaping by the great Chinese firewall, but I'm not positive. It could also be a configuration issue on my end. One reason for my thinking it's a configuration issue is that when I try to login to the pfsense dashboard from a network connection (not wireless), the dashboard doesn't load until my internet connection is working. Strange.
I've monitored the wan download speed via pfsense traffic monitoring, and I can clearly see when the download speed via the openvpn wan connection crawls to next-to-nothing. Short of doing that, I'm not sure how to troubleshoot the issue further. Since I'm a hobbyist, and not a trained network engineer, any advice to trace the problem would be of help.
Thanking you in advance.
-
@BaseBallHat Use a lan cable and try pinging something in china not protected by the great china firewall constantly, from a pc. (ping -t on windows)
And/Or just ping your pf lan.
When delays are experienced, check your ping.
This will give you some idea where the problem is
It could be wifi interference from neighbors, local connectivity issues (like cabling faults)
The possibility of throttling also exists, but it would not affect local pings.
I suppose vpn covers all your traffic, you need to allow traffic out of the vpn to see whats hapenning. This can be tricky and might expose what you do where you don't want to. (including dns leaks)
So be extra careful about that.
You are not in kansas anymore. -
@netblues Thank you! I'll try this later today.
Heading back to the US for the holidays for a couple of weeks, so I probably won't sort through this until I'm back after the new year.
-
If you're in China, then it might be due to the Great Firewall of China. They're really cracking down on VPNs. If that is the case, pings won't tell you much.
-
@JKnott Yup, you're right....
-
Is that with the VPN up? I wouldn't expect them to block pings, unless they're also blocking specific addresses. I can't imagine anything with www.grc.com that would be an issue for them.
-
@JKnott Yes, this was when the VPN was up, and there was little-to-no inbound wan network traffic. As for grc.com, yes, I can reach the site outside of the VPN without a problem.
-
@JKnott I was also able to ping my internal network without a problem, e.g. router and Apple TV.
-
@BaseBallHat You have to be more consistent.
Pings should run continiοusly, preferably not from pfsense (or from pf with multiple ssh sessions.
What we are trying to see is if the problem (when it happens) is only related to traffic passing through the tunnel, or everything.
This practically means that you need to configure traffic passing outside the vpn.
(and going preferably to a local chinese site...which has ping enabled e.g baidu.cn
it pings for me and looks like is in china.. )
With the pings running and things working normally you should be abe to establish a baseline on how things work as far as packet loss and rtt is concerned.
Then when you have issues pings will give you an idea where the problem is.
(local wifi, baseband ? connection, local traffic, vpn traffic/throttling).Good luck.