Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec performance inconsistent and slow

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 154 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tfboy
      last edited by

      I have a similar issue I think to this post: https://forum.netgate.com/post/1082670

      My setup is running pfSense on Protectli appliances.
      Site A has a 900Mb / 900Mb fibre connection
      Site B has a 900Mb / 600Mb fibre connection

      If I do large file transfers over FTP but without IPsec (just using FTPS over SSL with port forwarding on the pfSense to the FTP server), I get consistent, fast speeds:
      2833919c-7f89-4a62-9653-623c9bb9b742-image.png

      However, the minute I try to route over the IPsec tunnel, I get slower and very variable performance:
      50089867-8a0e-45df-a388-c6e05ff5e9b8-image.png.

      I've played around with adjusting the MSS on both sides. Testing with iperf3 gives some interesting results. Using the command iperf3 -c 192.168.21.100 -P 50 -t 30
      With MSS enabled, but left at default at 1400, I get pretty mediocre performance given the line speed:

      [SUM]   0.00-30.00  sec   513 MBytes   144 Mbits/sec  3914        sender
[SUM]   0.00-30.00  sec   451 MBytes   126 Mbits/sec              receiver

      If I lower the MSS to 1320, I get far better results:

      [SUM]   0.00-30.00  sec  2.97 GBytes   850 Mbits/sec  2443        sender
[SUM]   0.00-30.00  sec  2.91 GBytes   832 Mbits/sec              receiver

      Both appliances have VLAN tagged traffic on the WAN side so I think 1320 is probably about as high as I can safely go.

      However, having said all that, the variyng performance on the FTP transfers above is obtained with the lower 1320 MSS value giving better iperf3 results. So I'm not sure if it's an MSS thing or not.

      Where would be the next place to look?

      tinfoilmattT 1 Reply Last reply Reply Quote 0
      • tinfoilmattT
        tinfoilmatt @tfboy
        last edited by

        @tfboy Sniff the actual packets to see if anything jumps out.

        Also, not necessarily related, but are those iperf tests Protectli to Protectli— or Site A/B host to Site B/A host? It's a much fairer throughput baseline as the latter (i.e., Site A/B host to Site B/A host).

        T 1 Reply Last reply Reply Quote 0
        • T
          tfboy @tinfoilmatt
          last edited by

          @tinfoilmatt thanks. The iperf3 tests are done on hosts, not on the firewalls directly.
          Interestingly, I've since also set up a WireGuard VPN and that seems to work a little better than IPsec, but still 20-30% slower with large file transfers over FTP than going over the WAN.

          Following the guide on Netgate's website for WireGuard, I noticed that they clamp down the packet size by adjusting the MTU rather than the MSS, I don't know if there's a reason for doing it like that.

          But as I'm seeing the WireGuard performance still a bit off, maybe it's not just an IPsec thing? I did wonder if the CPU was the bottleneck, but they never go above 20% or so usage so I doubt it's the processor that's the bottleneck.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.