• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec/IKEV2 SMB performance issue

Scheduled Pinned Locked Moved IPsec
6 Posts 2 Posters 2.0k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G Offline
    garywaynesmith
    last edited by Mar 10, 2020, 2:46 PM

    I have been running into an issue with SMB performance over the ipsec tunnel. I have read several of the articles (most older) where some people have a solution (sadly not shared) or the thread just dead ends.

    I have a typical and simple setup. pfSense but with AES-NI processor, setup with IKEV2 following the Netgate instruction, and a Windows 10 client road warrior (Comcast/Xfinity) side. The pfSense firewall (static side) has a 1gbps connection, mostly, idle, and the road warrior side has the 1gbps/160mbs connection.

    When I copy a file via SMB from the road warrior to the static server I always get 355kb. During this time all other connections (like SSH) going to the static side hang as well.

    Following a couple recommendations I have change the MTU on the static side to 1360 (DF ping fell of at 1370). Nothing seems to help.

    Are there any recommendations for optimizing this?

    1 Reply Last reply Reply Quote 0
    • J Offline
      jimp Rebel Alliance Developer Netgate
      last edited by Mar 11, 2020, 7:21 PM

      Setting up MSS clamping for the VPN is the first step (VPN > IPsec, Advanced Settings tab), try a value of 1360 there.

      Also what is the SMB server? Could it be using an out of date version of the SMB protocol? IIRC versions before SMBv2 were even worse over VPNs but I could be misremembering when that was fixed. But most modern things, even Samba, should be using better than that. Still worth checking.

      Though even with that, no matter how fast it is, if there is too much latency it will fall apart.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      G 1 Reply Last reply Mar 11, 2020, 7:43 PM Reply Quote 0
      • G Offline
        garywaynesmith @jimp
        last edited by Mar 11, 2020, 7:43 PM

        @jimp

        Clamp setting is set to 1360. The smb server is Windows 2012 (yes, it's old and going away soon). Latency is usually pretty low for me, which is what made this odd. I am open to better ways of connectivity, but I'm aiming for keeping the client road warrior config simple.

        I notice that when I change things like clamping down to 1360 it doesn't ask me to apply the changes. Do I also need to restart the ipsec service as part of the change?

        1 Reply Last reply Reply Quote 0
        • J Offline
          jimp Rebel Alliance Developer Netgate
          last edited by Mar 11, 2020, 7:47 PM

          That value applies to firewall rules so it doesn't need a restart of IPsec. It should reload on its own but you can initiate a filter reload to be sure: Status > Filter Reload.

          Also make sure you don't have scrub disabled under System > Advanced, Firewall & NAT tab.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          G 1 Reply Last reply Mar 16, 2020, 6:35 PM Reply Quote 0
          • G Offline
            garywaynesmith @jimp
            last edited by Mar 16, 2020, 6:35 PM

            @jimp

            I did the filter reload and that seemed to help. Getting easily 20mb/sec on some basic file transfers (limiter seems to be file size on copy at this point -- slows down on lots of smalls, which is expected). Better than 335kb.

            I can live with these settings.

            1 Reply Last reply Reply Quote 1
            • G Offline
              garywaynesmith
              last edited by Mar 18, 2020, 7:51 AM

              @jimp

              And it came back. I'm wondering if it as something to do on the client site (behind a comcast/xfinity residential router). The server direct on a 1GB's dedicated connection.

              I'm guessing that either my workstation (windows 10) or the router is somehow fragmenting the packets or something. It gets spurts where it hits like 2-5MB/sec then back down to exactly 355KB/sec

              What would be a good way to test this on the Windows 10 client side of things? I don't know much about the tools for testing fragments or ipsec.

              1 Reply Last reply Reply Quote 0
              1 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received