ALIX board and OpenVPN slowing system down



  • Hi Everyone,

    I have installed an ALIX2D3 running pfsense 1.2.3 RELEASE at a client's business. Everything works fine, until I configure it as an OpenVPN client (to connect to my hosted openVPN server). The VPN seems to run fine, however normal web surfing hangs a lot on "Connecting to…". I'm suspecting that either  the box is struggling with outbound NAT, or the openVPN config messes up the routing table?

    What is even more strange is that the problem still persists even when I disable the VPN tunnel. A factory reset fixes the issue, until I set up the VPN again..

    For what it's worth, this pfsense box is in a double NAT environment (It's WAN port is connected to the LAN side of a Virgin Media router), however connecting a PC directly to the Virgin Media router works perfectly, so I don't think that's the issue.

    Any ideas?

    Thanks


  • Rebel Alliance Developer Netgate

    What kind of throughput does that site have?

    The ALIX, combined with OpenVPN, can only handle between 8-20Mbit (depending largely on the cipher being used), and that is with "engine cryptodev;" in the config.

    See here: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

    As for why the problem seems to stick around after the VPN is dropped, that's harder to say. You might need to look at the output of "top -SH" from an ssh session to the box, or check the system logs for any kinds of errors.



  • Hi jimp,

    The site traffic lies idle at the minunte, as the machines arn't being used (new office).

    I'll take a look at top to see if there is any CPU hogging going on. As for "System Logs", where is the best place to look for these? Is there any way to see why pfSense gets stuck on "Connecting to.." in the web browsers?

    Are you able to tell me the difference between a pfsense config between no OpenVPN clients configured, and one that has the box configured as a client but, disabled? Are there any more differences apart from the XML pfsense config files?

    Thanks


  • Rebel Alliance Developer Netgate

    There should not be any differences in the config aside from the enabled/disabled flag for that connection.

    You might want to check and see if the connection was actually stopped though, check the output of "ps uxawww | grep openvpn" - if that shows a process, then the VPN didn't really disconnect when you disabled it.



  • I use Alix2d3 for administrative purposes and to connect SIP extensions to the system using OpenVPN and it's all fine. The WAN port has only 1mbps down and 512mbps upload. Though there are no PCs attached to this router. Only phones. All works fine.



  • Hi Everyone,

    So I ran top while browsing the web. The system sits at mostly idle. THe lowest I saw the idle meter drop was down to 94%.

    Also, disabling the OpenVPN client does indeed actually stop it, as ps doesn't show the process anymore. Here is my routing table after the openvpn process has stopped (10.86.2.0/24 is pfsense's LAN and 192.168.0.0/24 is the WAN subnet):

    Routing tables

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            192.168.0.1        UGS         0  6543827    vr1
    10.86.2.0          link#1             UC          0        0    vr0
    10.86.2.243        00:21:63:c9:c1:a1  UHLW        1     2833    vr0   1043
    10.86.2.245        00:24:2b:bb:44:74  UHLW        1  1699587    vr0   1016
    localhost          localhost          UH          0        0    lo0
    192.168.0.0        link#2             UC          0        0    vr1
    192.168.0.1        30:46:9a:c5:f9:15  UHLW        2    38401    vr1    682

    Internet6:
    Destination        Gateway            Flags      Netif Expire
    ::1                ::1                UHL         lo0
    fe80::%vr0         link#1             UC          vr0
    fe80::20d:b9ff:fe1 00:0d:b9:1e:1b:88  UHL         lo0
    fe80::%vr1         link#2             UC          vr1
    fe80::20d:b9ff:fe1 00:0d:b9:1e:1b:89  UHL         lo0
    fe80::%lo0         fe80::1%lo0        U           lo0
    fe80::1%lo0        link#5             UHL         lo0
    ff01:1::           link#1             UC          vr0
    ff01:2::           link#2             UC          vr1
    ff01:5::           ::1                UC          lo0
    ff01:8::           link#8             UC         tun0
    ff02::%vr0         link#1             UC          vr0
    ff02::%vr1         link#2             UC          vr1
    ff02::%lo0         ::1                UC          lo0
    ff02::%tun0        link#8             UC         tun0

    Do those look like they could cause any problems? My problems "feel" like an MAC address conflict, however I can't see anything above that would relate to that..

    Any other ideas?

    Has anyone else tried an Alix 2D3 with pfsense and OpenVPN client mode?

    Thanks



  • @jonnytabpni:

    Has anyone else tried an Alix 2D3 with pfsense and OpenVPN client mode?

    Numerous times. As long as you aren't pushing more traffic than that CPU can handle, somewhere between 8-20 Mbps depending on cipher, you're fine. A crypto card increases that pretty considerably, 1.5-2 times as much. If you need to push more than that, you need a faster CPU.



  • On the same note, for Alix boards I think there is a recommended encryption method that is advised to be used. I am wondering if it's true that all Alix boards have that built in driver/chip or things should be done to install it? (sorry don't quite remember the name of the technology/driver….)


  • Rebel Alliance Developer Netgate

    All Geode CPUs (ALIX, Soekris, etc) have the GLX Security Block device (glxsb) which will accelerate only AES-128. So for OpenVPN you need to set aes-128-cbc, and for IPsec, you set Rijndael (which is AES-128). Unless you have disabled the glxsb device under System > Advanced, it is loaded at boot time on supported platforms.


Log in to reply