OSX Finder very slow browsing shares via VPN

ruio

Hello everybody!
I have some troubles with Apple OSX. I can't browse network folders with Finder because it's too slow. It takes forever just list all the subfolders. If I try to transfer or open a file, everything is fine and I can do it at the right speed.

I tried both OpenVPN and IPsec, same result. Of course I have no problem at all with Windows, Linux, Android and iOS; they are all very fast. I tried with different versions of OSX and pfSense but nothing changed.
I tried with some Finder alternatives like Pathfinder but with no results.

Do you have any idea or suggestion? Is there something I am missing?
Thank you very much!

Derelict

DNS?

stephenw10

What type of network shares? Are they on the same subnet? Is it using Bonjour (mDNS) when other OSes are not?

Steve

ruio

I don't think it's a DNS problem because I set the DNS via VPN to the Google DNS and I tried to dig www.google.com before and after the connection with the same result.

The network share is a samba share via Windows Server 2008 or a Netgear NAS. I don't use Bonjour and the clients and server are on different subnets.

stephenw10

I'm not really familiar enough with OSX to do anything other than speculate. I would suggest that something is talking in the wrong protocol and it has to time out before trying something else. That could be OSX asking for the folder list the wrong way or your samba server sending the list incorrectly.

Steve

ruio

Thanks for your suggestion, I will look into it!

johnedstone

I am having the same problem.
Browsing my FreeBSD samba shares withing my network (192.168.2.0/24) is not a problem for either Windows7 or Mac OS X 10.9.2 Mavericks.

When I use OpenVPN (configuration from pfsense router below), Windows7 is not a problem.  However on the Mac browsing using Tunnelblick there is a problem with the Finder.  It will list the top level but I can not click through to subdirectories on the cifs share.

I am using smbv1 on the Mac and have tried all the options, on the Mac, in /etc/nsmb.conf that have been suggested, with no success. The most common suggestion, which I have stay with to force smb version 1, has been

[default]
smb_neg=smb1_only

It's interesting that using a terminal, and doing a "find", there is no problem on the Mac.  It's something about the Finder.

Here is the current config on pfsense

# cat /var/etc/openvpn/server1.conf
dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 98.253.143.84
tls-server
server 192.168.33.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify /var/etc/openvpn/server1.php via-env
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1194
management /var/etc/openvpn/server1.sock unix
max-clients 5
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DNS 192.168.2.1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo
persist-remote-ip
float
topology subnet
route 192.168.2.0 255.255.255.0

# uname -r
8.3-RELEASE-p11
# cat /etc/version
2.1-RELEASE

If anyone gets' this solved I would appreciate it.

charliem

@johnedstone:

I am having the same problem.
Browsing my FreeBSD samba shares withing my network (192.168.2.0/24) is not a problem for either Windows7 or Mac OS X 10.9.2 Mavericks.

When I use OpenVPN (configuration from pfsense router below), Windows7 is not a problem.  However on the Mac browsing using Tunnelblick there is a problem with the Finder.  It will list the top level but I can not click through to subdirectories on the cifs share.

I am using smbv1 on the Mac and have tried all the options, on the Mac, in /etc/nsmb.conf that have been suggested, with no success. The most common suggestion, which I have stay with to force smb version 1, has been

If anyone gets' this solved I would appreciate it.

So browsing while on LAN segment is OK, but as a road warrior (I guess) using OpenVPN you have problems?

What ports do you have open on pfSense?  Typically you need to allow udp ports 137 and 138, and tcp ports 139 and 445 to pass.

It's interesting that using a terminal, and doing a "find", there is no problem on the Mac.  It's something about the Finder

I'm not too familiar with Macs; is find like the unix find, or is it related to network browsing?

johnedstone

So, I am updating my notes on browsing above

When I use OpenVPN, Windows7 is not a problem.  However on the Mac browsing using Tunnelblick there is a problem with the Finder.  It will list the top level but I can not click through to subdirectories on the cifs share.

I turned up logging on the samba shares, and I see that the Mac Finder is very chatty, opening and closing every file.  So, I reasoned, and I now believe, that my OpenVPN configuration is okay.  And, the real problem is that the Mac Finder is so chatty, and it doesn't return and display, because it's still busy opening and closing files.

To confirm this, I created a cifs share with a few files and a few folders, and browsed this with my Mac client, through OpenVPN and that was no problem.

And, as I read the Mac forums, regarding Mac 10.9.x, there are a lot of people reporting "Finder is slow", not just on cifs.  So, at this point my focus is on finding a way to make the Finder less chatty on cifs, or to find an alternate to Finder.  Additionally, I believe I can mount subfolders within the cifs, on the Mac, and perhaps get to them quicker, without having to browse through the parent directories.

Thanks for your response, charliem.  If I figure out anything on the Mac to make it less chatty I'll try to remember to post here.  For now, pfSense/OpenVPN is perfect.  – johnedstone

Followup:
I installed Xfile (http://rixstep.com/4/0/xfile/), a faster application than the Mac Finder.  As advertised this was faster, and my cifs/samba shares are now browsable through OpenVPN using Xfile.  So, as noted above ,this problem, in my mind, is the slowness of the Mac Finder.  This may be a bug in 10.9.2  I'm waiting to see if Apple "fixes" this in the future.

Louis89

I don't think this has anything to do with pfSense. I have only started using Macs on my network in the last few months so I can only speak for OSX 10.9.x. I have 3 macs running Mavericks and finder is slow for Samba shares on all of them. I have a few Linux and Windows hosts that are very speedy via Samba though. It seems finder in 10.9.x and possibly earlier versions just doesn't like CIFS/Samba shares.

My solution was to setup netatalk which uses Apple's AFP protocol for file sharing. Finder is just as fast or faster than my non-OSX machines when AFP is available. Your Mac will automatically prefer AFP over Samba if it is available and if you have Avahi running with netatalk then there will be zero configuration necessary (your server will magically appear in Finder). You can also use a lot more Apple features with an AFP share, like time machines and with netatalk integration between spotlight (Mac's file indexer) and tracker (Linux's file indexer) for much faster searching. Though, I can't speak for how well XFile works in comparison as I have never tried it.

You mentioned OpenVPN so I think it is worth mentioning that mDNS/Avahi/Bonjour/ZeroConf (whatever you like calling it) won't work out of the box through an OpenVPN tunnel with pfSense. So you will have to manually connect if it is the case that you are attempting to access your AFP share via OpenVPN. This is what led me to your post. It should be possible to forward mDNS between pfSense LANs and OpenVPN client hosts, but I haven't been able to figure it out yet. There seems to be a lot of talk and simple solutions for forwarding mDNS router-to-router, but not router-to-a single client host, but I digress.

filipp

Just wanted to chime in and say that we are experiencing the same issues. It's indeed a bit better over AFP and even better when connected to a native OS X file server (probably thanks to HFS+ and compression). As others have said - the Finder is probably the main culprit - you can kind of see it with Wireshark - Finder opening files and folders even when you don't click anything.

So yeah, def. not a pfSense issue, but an issue nonetheless. :)

tha_toadman

Reviving this topic to report my findings.

I just called Apple Support today to investigate this issue. Our scenario is a Mac Mini running 10.10.2 connecting via OpenVPN to a SMB file share off of FreeNAS. When the AFP protocol is used, it connects immediately. When we move to the SMB protocol….crickets....user auth window, click "Guest"....spinning wheel....crickets....ERROR.

During my discussion with Apple Enterprise level support, they said that this is an active issue that the engineers are currently investigating. While it was confirmed as a known bug, there obviously isn't an ETA for this fix. I told them my frustration was that (based off of the date stamps in this thread) this issue has been ongoing for the almost a year now. He apologized but reiterated that a fix was coming.

In the meantime, I now have to get a NAS appliance with AFP support because of that unknown ETA. I hope this information helps anyone else that may be in the same situation.

stephenw10

Thanks for reporting that.
Have you tried to use something other than finder? Like Xfile as reported above?

Steve

tha_toadman

Yeah, no problem. To answer your question: No, I did not. The Mac Mini was the client's machine.