Throughput issue on a virtualized Pfsense

hpman83

Hi,
I have an issue with Max throughput on my virtual Pfsense. The Pfsense runs on ESXi with 3 vCPU, 4 Gb RAM.
The average load is around 0.5
Number of states opens: around 40 000.
40 clients connected on the OpenVPN
About 150 PC connected to the LAN
20 Openvpn Site to site (Pfsense to Pfsense) connected.

My WAN link is fiber optic with 1 Gb/s max.
After the working hours, I can have around 850 Mbs speed on a client machine so pretty close to my max WAN speed.
During the day, the max speed I have on the same client is around 40 Mbs.
I monitor the link speed and the total traffic on my WAN link is around 60 Mbs on average.
The only difference between after works hours and during the days is the number of PC connected to the network.

Do you have any idea why the max speed during the day is so low in regard of my max WAN speed?

Thanks

Cool_Corona

@hpman83 Upgrade the cores unless youre on 2.4.5. And give it 8GB ram if possible.

hpman83

Hi,
I'm in the last version 2.4.5.
I'll try to upgrade the RAM to 8 Gb and I let you know.

Thanks

hpman83

Hi,
I upgraded the RAM to 8 Gb and same issue. Good connexion after work hours (850 Mbs) down to 45 Mbs during the day.
Very strange

bmeeks

@hpman83 said in Throughput issue on a virtualized Pfsense:

Hi,
I upgraded the RAM to 8 Gb and same issue. Good connexion after work hours (850 Mbs) down to 45 Mbs during the day.
Very strange

Hmm...perhaps the problem is on your ISP's side? Sounds like the ISP's network gets overloaded during working hours. This would indicate the ISP has not allocated enough bandwidth to the hub or remote station serving your area. In other words, your local node is oversubscribed. During working hours for you, are not all the other businesses around yours in operation as well? They would all be using up bandwidth from that ISP. After working hours, all of your employees are gone but then so are the employees of other businesses in the area. Thus the local ISP node is no longer oversubscribed.

hpman83

@bmeeks I'm gonna try to plug a computer directly after the router to see if there is any difference.

bmeeks

@hpman83 said in Throughput issue on a virtualized Pfsense:

@bmeeks I'm gonna try to plug a computer directly after the router to see if there is any difference.

That would be a good initial test. Unless you have severely anemic hardware, the number of users in your office during working hours should make no difference in network speed through the pfSense firewall. Problems on the ISP side, though, would be much more likely.

EDIT: oh, wait a minute! Just reread your initial post and noticed that you mentioned 20 open site-to-site VPN tunnels. Those, when loaded up, would definitely impact speed unless you have a very robust pfSense appliance. My eyes missed those 20 VPN tunnels on the first pass.

hpman83

The ESX specs are:
Hypervisor: VMware ESXi, 6.5.0, 8294253
Model: PowerEdge R630
Processor Type: Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz
Logical Processors: 32 (16 cores: 2 CPU 8 core each).

My Pfsense has 3 vCPU on this host. The average load on the Pfsense is around 0.2 - 0.5.
The traffic on the 20 sites to sites is very low right now (Because of the Covid, a lot of remote site are closed).
I have around 50 remote workers with Openvpn Client too. All the client are using ADSL line so the load on each line is not very high.
I have around 20 Mbs bandwith in average, 14 Mbs of these are by computer on the local LAN, 6 Mbs on the OpenVPN link.

bmeeks

@hpman83 said in Throughput issue on a virtualized Pfsense:

The ESX specs are:
Hypervisor: VMware ESXi, 6.5.0, 8294253
Model: PowerEdge R630
Processor Type: Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40GHz
Logical Processors: 32 (16 cores: 2 CPU 8 core each).

My Pfsense has 3 vCPU on this host. The average load on the Pfsense is around 0.2 - 0.5.
The traffic on the 20 sites to sites is very low right now (Because of the Covid, a lot of remote site are closed).
I have around 50 remote workers with Openvpn Client too. All the client are using ADSL line so the load on each line is not very high.
I have around 20 Mbs bandwith in average, 14 Mbs of these are by computer on the local LAN, 6 Mbs on the OpenVPN link.

Okay, then my ISP hypothesis is back at the top of my suggested things to test out.

Mohanad

Hi
as you mention .. do you have another ISP connected ?
if so .. do your earlier troubleshoot , plug you laptop direct to the ISP and try to download a 10 Gb file from test speed sites (i am in sudan the difference between download and upload = 1/10 ) .. so if you have 1 Gb connection , should be 100 Mbps when you download the 10 Gb file
Try to do this in the rush hours .
If you satisfy about the bandwidth .. back it to the pfsense and try same 10Gb file from inside your network .. should not far from 100 Mbps (70-80)
Note : there is no need to expand your compute resource while it is 0.5

good luck