Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ALIX board and OpenVPN slowing system down

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 4 Posters 9.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jonnytabpni
      last edited by

      Hi Everyone,

      I have installed an ALIX2D3 running pfsense 1.2.3 RELEASE at a client's business. Everything works fine, until I configure it as an OpenVPN client (to connect to my hosted openVPN server). The VPN seems to run fine, however normal web surfing hangs a lot on "Connecting to…". I'm suspecting that either  the box is struggling with outbound NAT, or the openVPN config messes up the routing table?

      What is even more strange is that the problem still persists even when I disable the VPN tunnel. A factory reset fixes the issue, until I set up the VPN again..

      For what it's worth, this pfsense box is in a double NAT environment (It's WAN port is connected to the LAN side of a Virgin Media router), however connecting a PC directly to the Virgin Media router works perfectly, so I don't think that's the issue.

      Any ideas?

      Thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        What kind of throughput does that site have?

        The ALIX, combined with OpenVPN, can only handle between 8-20Mbit (depending largely on the cipher being used), and that is with "engine cryptodev;" in the config.

        See here: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

        As for why the problem seems to stick around after the VPN is dropped, that's harder to say. You might need to look at the output of "top -SH" from an ssh session to the box, or check the system logs for any kinds of errors.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J Offline
          jonnytabpni
          last edited by

          Hi jimp,

          The site traffic lies idle at the minunte, as the machines arn't being used (new office).

          I'll take a look at top to see if there is any CPU hogging going on. As for "System Logs", where is the best place to look for these? Is there any way to see why pfSense gets stuck on "Connecting to.." in the web browsers?

          Are you able to tell me the difference between a pfsense config between no OpenVPN clients configured, and one that has the box configured as a client but, disabled? Are there any more differences apart from the XML pfsense config files?

          Thanks

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            There should not be any differences in the config aside from the enabled/disabled flag for that connection.

            You might want to check and see if the connection was actually stopped though, check the output of "ps uxawww | grep openvpn" - if that shows a process, then the VPN didn't really disconnect when you disabled it.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • T Offline
              torontob
              last edited by

              I use Alix2d3 for administrative purposes and to connect SIP extensions to the system using OpenVPN and it's all fine. The WAN port has only 1mbps down and 512mbps upload. Though there are no PCs attached to this router. Only phones. All works fine.

              1 Reply Last reply Reply Quote 0
              • J Offline
                jonnytabpni
                last edited by

                Hi Everyone,

                So I ran top while browsing the web. The system sits at mostly idle. THe lowest I saw the idle meter drop was down to 94%.

                Also, disabling the OpenVPN client does indeed actually stop it, as ps doesn't show the process anymore. Here is my routing table after the openvpn process has stopped (10.86.2.0/24 is pfsense's LAN and 192.168.0.0/24 is the WAN subnet):

                Routing tables

                Internet:
                Destination        Gateway            Flags    Refs      Use  Netif Expire
                default            192.168.0.1        UGS         0  6543827    vr1
                10.86.2.0          link#1             UC          0        0    vr0
                10.86.2.243        00:21:63:c9:c1:a1  UHLW        1     2833    vr0   1043
                10.86.2.245        00:24:2b:bb:44:74  UHLW        1  1699587    vr0   1016
                localhost          localhost          UH          0        0    lo0
                192.168.0.0        link#2             UC          0        0    vr1
                192.168.0.1        30:46:9a:c5:f9:15  UHLW        2    38401    vr1    682

                Internet6:
                Destination        Gateway            Flags      Netif Expire
                ::1                ::1                UHL         lo0
                fe80::%vr0         link#1             UC          vr0
                fe80::20d:b9ff:fe1 00:0d:b9:1e:1b:88  UHL         lo0
                fe80::%vr1         link#2             UC          vr1
                fe80::20d:b9ff:fe1 00:0d:b9:1e:1b:89  UHL         lo0
                fe80::%lo0         fe80::1%lo0        U           lo0
                fe80::1%lo0        link#5             UHL         lo0
                ff01:1::           link#1             UC          vr0
                ff01:2::           link#2             UC          vr1
                ff01:5::           ::1                UC          lo0
                ff01:8::           link#8             UC         tun0
                ff02::%vr0         link#1             UC          vr0
                ff02::%vr1         link#2             UC          vr1
                ff02::%lo0         ::1                UC          lo0
                ff02::%tun0        link#8             UC         tun0

                Do those look like they could cause any problems? My problems "feel" like an MAC address conflict, however I can't see anything above that would relate to that..

                Any other ideas?

                Has anyone else tried an Alix 2D3 with pfsense and OpenVPN client mode?

                Thanks

                1 Reply Last reply Reply Quote 0
                • C Offline
                  cmb
                  last edited by

                  @jonnytabpni:

                  Has anyone else tried an Alix 2D3 with pfsense and OpenVPN client mode?

                  Numerous times. As long as you aren't pushing more traffic than that CPU can handle, somewhere between 8-20 Mbps depending on cipher, you're fine. A crypto card increases that pretty considerably, 1.5-2 times as much. If you need to push more than that, you need a faster CPU.

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    torontob
                    last edited by

                    On the same note, for Alix boards I think there is a recommended encryption method that is advised to be used. I am wondering if it's true that all Alix boards have that built in driver/chip or things should be done to install it? (sorry don't quite remember the name of the technology/driver….)

                    1 Reply Last reply Reply Quote 0
                    • jimpJ Offline
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      All Geode CPUs (ALIX, Soekris, etc) have the GLX Security Block device (glxsb) which will accelerate only AES-128. So for OpenVPN you need to set aes-128-cbc, and for IPsec, you set Rijndael (which is AES-128). Unless you have disabled the glxsb device under System > Advanced, it is loaded at boot time on supported platforms.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.