ALIX board and OpenVPN slowing system down

jonnytabpni

Hi Everyone,

I have installed an ALIX2D3 running pfsense 1.2.3 RELEASE at a client's business. Everything works fine, until I configure it as an OpenVPN client (to connect to my hosted openVPN server). The VPN seems to run fine, however normal web surfing hangs a lot on "Connecting to…". I'm suspecting that either  the box is struggling with outbound NAT, or the openVPN config messes up the routing table?

What is even more strange is that the problem still persists even when I disable the VPN tunnel. A factory reset fixes the issue, until I set up the VPN again..

For what it's worth, this pfsense box is in a double NAT environment (It's WAN port is connected to the LAN side of a Virgin Media router), however connecting a PC directly to the Virgin Media router works perfectly, so I don't think that's the issue.

Any ideas?

Thanks

jimp

What kind of throughput does that site have?

The ALIX, combined with OpenVPN, can only handle between 8-20Mbit (depending largely on the cipher being used), and that is with "engine cryptodev;" in the config.

See here: http://doc.pfsense.org/index.php/Are_cryptographic_accelerators_supported

As for why the problem seems to stick around after the VPN is dropped, that's harder to say. You might need to look at the output of "top -SH" from an ssh session to the box, or check the system logs for any kinds of errors.

jonnytabpni

Hi jimp,

The site traffic lies idle at the minunte, as the machines arn't being used (new office).

I'll take a look at top to see if there is any CPU hogging going on. As for "System Logs", where is the best place to look for these? Is there any way to see why pfSense gets stuck on "Connecting to.." in the web browsers?

Are you able to tell me the difference between a pfsense config between no OpenVPN clients configured, and one that has the box configured as a client but, disabled? Are there any more differences apart from the XML pfsense config files?

Thanks

jimp

There should not be any differences in the config aside from the enabled/disabled flag for that connection.

You might want to check and see if the connection was actually stopped though, check the output of "ps uxawww | grep openvpn" - if that shows a process, then the VPN didn't really disconnect when you disabled it.

torontob

I use Alix2d3 for administrative purposes and to connect SIP extensions to the system using OpenVPN and it's all fine. The WAN port has only 1mbps down and 512mbps upload. Though there are no PCs attached to this router. Only phones. All works fine.

jonnytabpni

Hi Everyone,

So I ran top while browsing the web. The system sits at mostly idle. THe lowest I saw the idle meter drop was down to 94%.

Also, disabling the OpenVPN client does indeed actually stop it, as ps doesn't show the process anymore. Here is my routing table after the openvpn process has stopped (10.86.2.0/24 is pfsense's LAN and 192.168.0.0/24 is the WAN subnet):

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGS         0  6543827    vr1
10.86.2.0          link#1             UC          0        0    vr0
10.86.2.243        00:21:63:c9:c1:a1  UHLW        1     2833    vr0   1043
10.86.2.245        00:24:2b:bb:44:74  UHLW        1  1699587    vr0   1016
localhost          localhost          UH          0        0    lo0
192.168.0.0        link#2             UC          0        0    vr1
192.168.0.1        30:46:9a:c5:f9:15  UHLW        2    38401    vr1    682

Internet6:
Destination        Gateway            Flags      Netif Expire
::1                ::1                UHL         lo0
fe80::%vr0         link#1             UC          vr0
fe80::20d:b9ff:fe1 00:0d:b9:1e:1b:88  UHL         lo0
fe80::%vr1         link#2             UC          vr1
fe80::20d:b9ff:fe1 00:0d:b9:1e:1b:89  UHL         lo0
fe80::%lo0         fe80::1%lo0        U           lo0
fe80::1%lo0        link#5             UHL         lo0
ff01:1::           link#1             UC          vr0
ff01:2::           link#2             UC          vr1
ff01:5::           ::1                UC          lo0
ff01:8::           link#8             UC         tun0
ff02::%vr0         link#1             UC          vr0
ff02::%vr1         link#2             UC          vr1
ff02::%lo0         ::1                UC          lo0
ff02::%tun0        link#8             UC         tun0

Do those look like they could cause any problems? My problems "feel" like an MAC address conflict, however I can't see anything above that would relate to that..

Any other ideas?

Has anyone else tried an Alix 2D3 with pfsense and OpenVPN client mode?

Thanks

cmb

@jonnytabpni:

Has anyone else tried an Alix 2D3 with pfsense and OpenVPN client mode?

Numerous times. As long as you aren't pushing more traffic than that CPU can handle, somewhere between 8-20 Mbps depending on cipher, you're fine. A crypto card increases that pretty considerably, 1.5-2 times as much. If you need to push more than that, you need a faster CPU.

torontob

On the same note, for Alix boards I think there is a recommended encryption method that is advised to be used. I am wondering if it's true that all Alix boards have that built in driver/chip or things should be done to install it? (sorry don't quite remember the name of the technology/driver….)

jimp

All Geode CPUs (ALIX, Soekris, etc) have the GLX Security Block device (glxsb) which will accelerate only AES-128. So for OpenVPN you need to set aes-128-cbc, and for IPsec, you set Rijndael (which is AES-128). Unless you have disabled the glxsb device under System > Advanced, it is loaded at boot time on supported platforms.