Packet Loss mainly over IPSEC VPN but not entirely

  • Hi, I have some issues with packet loss as seen on the status page and wondered if anyone can help?

    First off my set up, it’s a small office with 4 users, we are a small hub but part of a larger company, we produce audio for distribution around our group over IPSEC VPN.

    We have the following, a Dell 1850 v3 1u server with an extra dual Intel NIC. The server has 8Gb ram and a single 500gb hard disk. There is one ADSL connection with our internet provider being BE Internet. I have there Thompson ADSL Router in bridge mode connected to the wan on em0 of the Intel nic and the lan connected to a HP Procurve Gigabit managed switch.

    There are 16 sites all connected via IPSEC VPN and we have a server (Win 2k8R2) that automatically transfers the WAV files over the VPN’s to our remote sites around the UK.

    This issue originally appeared when we were transferring data around the group and I saw around 1Mbps of traffic on the IPSEC VPN Traffic Graph. I would then see the packet loss creep up from 0% to over 22%. The side effect of this is that the file transfer fails and has to start again. This then delays the roll out of our audio to the other sites.

    I have tried the following to resolve the issue. I have replaced the router with another of the same type in bridge mode; I have bought another ADSL Ethernet modem router (zyxel) and put it in bridge mode. I have moved the wan and lan to the onboard Broadcom nics, I have tried to use QOS to prioritise the traffic. I have lowered the MTU to 1300. All of these things have failed. I also followed this guide to see if this resolved the issue (

    I always thought that it was just VPN traffic that caused the high packet loss, but on downloading a torrent (centos) I also saw packet loss (not as high).

    I may have missed something out; I have been working on it for a while and have not got too far. The current solution is in and working which is a Draytek 2820 using the built in modem. This works but we hit the limits of the routers VPN capacity. Hence want to implement pfSense.

    Thanks for reading my long post all help / ideas welcome.


  • I think you are much more likely to have packet loss issues on the WAN side of your pfSense than the LAN side.

    Any path with a substantial number of hops on the public internet is likely to include a number of hops which are substantially oversubscribed (that is the hop bandwidth is insufficient for all potential users to be able to be able to obtain their maximum bandwidth). Hence packet loss can be seen in periods of substantial demand.

    pfSense keeps some graphs of link "quality" in Status -> RRD Graphs, click on Quality tab and use the pull down to select the appropriate interface. If you have your system configured correctly the graph will give you an indication of congestion on the link to the other end of the VPN. There are probably periods of low ping response times and high response times (indicating congestion). Do the periods of high response times correspond solely to the times of file transfer?

    Some things you could try. Do some tests to better understand how tweaking parameters affects the outcome..

    1. Do you transfer a number of files concurrently? Reduce the degree of concurrency.

    2. Convert WAV files to a compressed audio format and transfer the compressed files.

    3. Do the transfers outside "busy" times.

    4. Reduce the TCP window size used in the file transfers.

    What are your requirements/constraints? Must get all transfers (each a multi gigabyte transfer) to complete simultaneously in under 30s in network peak times and incur no additional costs? :-)