IPSec/IKEV2 SMB performance issue

  • I have been running into an issue with SMB performance over the ipsec tunnel. I have read several of the articles (most older) where some people have a solution (sadly not shared) or the thread just dead ends.

    I have a typical and simple setup. pfSense but with AES-NI processor, setup with IKEV2 following the Netgate instruction, and a Windows 10 client road warrior (Comcast/Xfinity) side. The pfSense firewall (static side) has a 1gbps connection, mostly, idle, and the road warrior side has the 1gbps/160mbs connection.

    When I copy a file via SMB from the road warrior to the static server I always get 355kb. During this time all other connections (like SSH) going to the static side hang as well.

    Following a couple recommendations I have change the MTU on the static side to 1360 (DF ping fell of at 1370). Nothing seems to help.

    Are there any recommendations for optimizing this?

  • Rebel Alliance Developer Netgate

    Setting up MSS clamping for the VPN is the first step (VPN > IPsec, Advanced Settings tab), try a value of 1360 there.

    Also what is the SMB server? Could it be using an out of date version of the SMB protocol? IIRC versions before SMBv2 were even worse over VPNs but I could be misremembering when that was fixed. But most modern things, even Samba, should be using better than that. Still worth checking.

    Though even with that, no matter how fast it is, if there is too much latency it will fall apart.

  • @jimp

    Clamp setting is set to 1360. The smb server is Windows 2012 (yes, it's old and going away soon). Latency is usually pretty low for me, which is what made this odd. I am open to better ways of connectivity, but I'm aiming for keeping the client road warrior config simple.

    I notice that when I change things like clamping down to 1360 it doesn't ask me to apply the changes. Do I also need to restart the ipsec service as part of the change?

  • Rebel Alliance Developer Netgate

    That value applies to firewall rules so it doesn't need a restart of IPsec. It should reload on its own but you can initiate a filter reload to be sure: Status > Filter Reload.

    Also make sure you don't have scrub disabled under System > Advanced, Firewall & NAT tab.

  • @jimp

    I did the filter reload and that seemed to help. Getting easily 20mb/sec on some basic file transfers (limiter seems to be file size on copy at this point -- slows down on lots of smalls, which is expected). Better than 335kb.

    I can live with these settings.

  • @jimp

    And it came back. I'm wondering if it as something to do on the client site (behind a comcast/xfinity residential router). The server direct on a 1GB's dedicated connection.

    I'm guessing that either my workstation (windows 10) or the router is somehow fragmenting the packets or something. It gets spurts where it hits like 2-5MB/sec then back down to exactly 355KB/sec

    What would be a good way to test this on the Windows 10 client side of things? I don't know much about the tools for testing fragments or ipsec.

Log in to reply