Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ISP Throttling VPN

    Scheduled Pinned Locked Moved OpenVPN
    15 Posts 5 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steve.comerford
      last edited by

      Hello all,

      The current setup is OpenVPN on an SG-3100 to an SG-4100, site to site, using port 1195 as 1194 is used for client to site. I have moved this from an IPSec site to site to see if I can overcome the throttling issue but with no luck. Both sites are on 200meg symmetrical line but we are only getting a max of 40meg across VPN, mostly 20meg during peak times.

      I have tested an SG-2100 and SG-3100 on a different provider to confirm the VPN is capable of the 200meg throughput and it works fine with another provider so I know there are no hardware limitations.

      I have changed the ports and also to TCP from UDP on the OpenVPN to try and mask the traffic but the ISP is clearly wise to that, and it hasn't made any difference.

      Is anyone aware of any site-to-site VPN options within pfsense that will prevent the ISP from identifying the traffic and throttling? I have been chasing the ISP for weeks to get the issue addressed but I'm getting blanked by their support team.

      Or are there any tweaks within OpenVPN I could be making to try and achieve the required speed?

      Thanks in advance for any advice.

      M JKnottJ 2 Replies Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @steve.comerford
        last edited by

        @steve-comerford
        How are you testing throughput?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 0
        • S
          steve.comerford
          last edited by

          Hello, thanks for your reply.

          iPerf from a client on the network to the remote gateway as well as client to client on the remote network. Both produce similar results.

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @steve.comerford
            last edited by

            @steve-comerford
            if you do a speed test local at the site (speedtest.net) do you see 200Mbps ?

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            1 Reply Last reply Reply Quote 0
            • S
              steve.comerford
              last edited by

              Yes getting 195meg on each site from speedtest.net.

              I have also just tested with client to client on Zerotier (Peer To Peer), and getting the same throttled speed of 40meg using iPerf.

              Thanks.

              M 1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @steve.comerford
                last edited by

                @steve-comerford
                This may be a case of VPN and MTU.
                Enable MSS Clamping under VPN > IPsec, Advanced Settings. Try with 1400 or lower values such as 1350 or 1300.

                If you are using OpenVPN i think to set the MTU its going to be under customer options
                tun-mtu 1400;
                mssfix 1350;

                of course toy around with the numbers to see if you see throughput changing for the better or worse.

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                1 Reply Last reply Reply Quote 0
                • S
                  steve.comerford
                  last edited by

                  Thanks for your input on this. Based on your feedback I have followed the guide below, but with no joy setting to 1470 or playing with lower numbers.

                  https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/#:~:text=The%20first%20thing%20you%20need,the%20packet%20size%20to%20use.

                  I also went to system>advanced>firewall & nat and enabled MSS clamping and played with various numbers in there, again it had zero effect at all on the performance.

                  Should I be matching the MTU and MSS settings on both sides, i.e server and client settings should match?

                  Would this be affected by the MTU settings of the of the actual WAN interface?

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    michmoor LAYER 8 Rebel Alliance @steve.comerford
                    last edited by

                    @steve-comerford
                    You're setting it on the firewalls, right? You dont have to touch the clients.
                    Are you doing traffic shaping or using limiters in any way?

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    1 Reply Last reply Reply Quote 0
                    • S
                      steve.comerford
                      last edited by

                      Yes on the firewalls, sorry what I meant was the OpenVPN server, and OpenVPN client within pfsense, not the clients as in workstations.

                      No traffic shaping or limiter in place, no IDS/IPS, no additional packages etc.

                      The main site has a client-to-gateway OpenVPN. Both sites have some VLANs configured, and the firewall rules, are deny first with the required ports opened. Thats the height of the complexity.

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        michmoor LAYER 8 Rebel Alliance @steve.comerford
                        last edited by

                        @steve-comerford
                        hmmm. When you go on VPN, assuming one of your clients is a Windows machine can you run the following?

                        ping REMOTE_HOSTNAME -f -l 1500

                        keep running the command until you get a ping response and that should be the MTU you set for the vpn tunnel.

                        I cant think of what else to try to be honest.

                        Firewall: NetGate,Palo Alto-VM,Juniper SRX
                        Routing: Juniper, Arista, Cisco
                        Switching: Juniper, Arista, Cisco
                        Wireless: Unifi, Aruba IAP
                        JNCIP,CCNP Enterprise

                        1 Reply Last reply Reply Quote 0
                        • S
                          steve.comerford
                          last edited by

                          Yeah, that's what I did to come up with 1470. Ping from workstation to workstation over VPN starting at 1500, dropping 10 until I got a successful ping and set the MTU to that.

                          I think im fighting a losing battle to be honest, due to the fact both the VPN traffic and Zerotier Peer to Peer traffic are being limited to the same speed, the only logical thing left is the ISP.

                          I appreciate your time on this, if nothing else I learned something new, thanks very much for your efforts. If I get a result i'll bing you an update on here.

                          Thanks @michmoor

                          1 Reply Last reply Reply Quote 0
                          • Bob.DigB
                            Bob.Dig LAYER 8
                            last edited by

                            Around here there are ISP which have bad peering and do throttle all kinds of stuff. Maybe name your ISP and connection technology and others can confirm.

                            M 1 Reply Last reply Reply Quote 1
                            • M
                              michmoor LAYER 8 Rebel Alliance @Bob.Dig
                              last edited by

                              @Bob-Dig
                              Could be bad peering i didnt think of that..

                              OP would need to do an iPerf test (using port forwards) to confirm that.

                              Firewall: NetGate,Palo Alto-VM,Juniper SRX
                              Routing: Juniper, Arista, Cisco
                              Switching: Juniper, Arista, Cisco
                              Wireless: Unifi, Aruba IAP
                              JNCIP,CCNP Enterprise

                              1 Reply Last reply Reply Quote 0
                              • N
                                NOCling
                                last edited by NOCling

                                The best MSS for IPsec tunnel mode ist 1328 if you don't wand padding.
                                https://packetpushers.net/ipsec-bandwidth-overhead-using-aes/

                                Netgate 6100 & Netgate 2100

                                1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott @steve.comerford
                                  last edited by

                                  @steve-comerford said in ISP Throttling VPN:

                                  I have changed the ports and also to TCP from UDP on the OpenVPN to try and mask the traffic but the ISP is clearly wise to that, and it hasn't made any difference.

                                  I'm aware of networks that block VPNs and the way around that is to use TCP port 80 to get through the firewall. That might also work for throttling, if that's actually what's happening.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.