IPsec overhead

  • Hi guys,

    I have an IPsec VPN tunner between 2 pfSense boxes, WANs are on public IPs, no NAT or any strange things in the middle, it works great. In fact, each box has a WAN dedicated to this VPN tunnel.

    I have enabled the HSFC traffic shaper in order to shape WITHIN the tunnel, and seems to be working fine, except that I am not considering the bandwidth overhead of the VPN itself. This can be seen during periods of high throughput, I see drops on queues that should not have any drops.

    What would be a "nice and safe" value for the upperlimit on the queue that shapes the tunnel? This certainly has to be lower than the 97% of the real bandwitdh, usually recommended when enabling the traffic shaper.

    As usual, thanks a lot in advance!


Log in to reply