Strange VPN performance on pfSense 2.2



  • Hey

    Im testing a new pfSense box running 2.2 and seeing some strange VPN performance.

    Setup:    PC1 (192.168.100.23)    <–->    (WAN: 192.168.100.37) pfSense (LAN: 192.168.1.1)    <--->    PC2 (192.168.1.100)

    In every test the VPN tunnel is made from PC1 to pfSense.

    First I tested using L2TP/IPsec (L2TP/IPsec subnet is 192.168.2.128/25):

    
    iperf.exe -c 192.168.1.100 -P 5 -w 130k
    ------------------------------------------------------------
    Client connecting to 192.168.1.100, TCP port 5001
    TCP window size:  130 KByte
    ------------------------------------------------------------
    [  6] local 192.168.2.128 port 50093 connected with 192.168.1.100 port 5001
    [  5] local 192.168.2.128 port 50092 connected with 192.168.1.100 port 5001
    [  7] local 192.168.2.128 port 50094 connected with 192.168.1.100 port 5001
    [  4] local 192.168.2.128 port 50091 connected with 192.168.1.100 port 5001
    [  3] local 192.168.2.128 port 50090 connected with 192.168.1.100 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  7]  0.0-10.0 sec  36.8 MBytes  30.7 Mbits/sec
    [  6]  0.0-10.1 sec  33.1 MBytes  27.6 Mbits/sec
    [  5]  0.0-10.1 sec  36.1 MBytes  30.1 Mbits/sec
    [  4]  0.0-10.1 sec  35.6 MBytes  29.7 Mbits/sec
    [  3]  0.0-10.1 sec  33.6 MBytes  28.0 Mbits/sec
    [SUM]  0.0-10.1 sec   175 MBytes   146 Mbits/sec
    
    

    Then using OpenVPN with compression (OpenVPN subnet is 192.168.3.0/24):

    
    iperf.exe -c 192.168.1.100 -P 5 -w 130k
    ------------------------------------------------------------
    Client connecting to 192.168.1.100, TCP port 5001
    TCP window size:  130 KByte
    ------------------------------------------------------------
    [  7] local 192.168.3.6 port 50179 connected with 192.168.1.100 port 5001
    [  4] local 192.168.3.6 port 50176 connected with 192.168.1.100 port 5001
    [  3] local 192.168.3.6 port 50175 connected with 192.168.1.100 port 5001
    [  6] local 192.168.3.6 port 50178 connected with 192.168.1.100 port 5001
    [  5] local 192.168.3.6 port 50177 connected with 192.168.1.100 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  7]  0.0-10.0 sec  37.6 MBytes  31.5 Mbits/sec
    [  4]  0.0-10.0 sec  37.5 MBytes  31.3 Mbits/sec
    [  6]  0.0-10.0 sec  37.6 MBytes  31.4 Mbits/sec
    [  5]  0.0-10.0 sec  37.6 MBytes  31.4 Mbits/sec
    [  3]  0.0-10.0 sec  37.6 MBytes  31.4 Mbits/sec
    [SUM]  0.0-10.0 sec   188 MBytes   157 Mbits/sec
    
    

    Then using OpenVPN without compression (OpenVPN subnet is 192.168.3.0/24):

    
    iperf.exe -c 192.168.1.100 -P 5 -w 130k
    ------------------------------------------------------------
    Client connecting to 192.168.1.100, TCP port 5001
    TCP window size:  130 KByte
    ------------------------------------------------------------
    [  7] local 192.168.3.6 port 50283 connected with 192.168.1.100 port 5001
    [  5] local 192.168.3.6 port 50281 connected with 192.168.1.100 port 5001
    [  6] local 192.168.3.6 port 50282 connected with 192.168.1.100 port 5001
    [  3] local 192.168.3.6 port 50279 connected with 192.168.1.100 port 5001
    [  4] local 192.168.3.6 port 50280 connected with 192.168.1.100 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  7]  0.0-10.0 sec  38.2 MBytes  32.0 Mbits/sec
    [  6]  0.0-10.0 sec  38.4 MBytes  32.0 Mbits/sec
    [  3]  0.0-10.0 sec  38.4 MBytes  32.0 Mbits/sec
    [  4]  0.0-10.1 sec  38.2 MBytes  31.9 Mbits/sec
    [  5]  0.0-10.1 sec  38.4 MBytes  32.0 Mbits/sec
    [SUM]  0.0-10.1 sec   192 MBytes   160 Mbits/sec
    
    

    I then port forwarded port 5001 from WAN to LAN and run a test again:

    
    iperf.exe -c 192.168.100.37 -P 5 -w 130k
    ------------------------------------------------------------
    Client connecting to 192.168.100.37, TCP port 5001
    TCP window size:  130 KByte
    ------------------------------------------------------------
    [  3] local 192.168.100.23 port 50310 connected with 192.168.100.37 port 5001
    [  6] local 192.168.100.23 port 50313 connected with 192.168.100.37 port 5001
    [  4] local 192.168.100.23 port 50311 connected with 192.168.100.37 port 5001
    [  5] local 192.168.100.23 port 50312 connected with 192.168.100.37 port 5001
    [  7] local 192.168.100.23 port 50314 connected with 192.168.100.37 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  6]  0.0-10.0 sec   222 MBytes   187 Mbits/sec
    [  4]  0.0-10.0 sec   227 MBytes   191 Mbits/sec
    [  5]  0.0-10.0 sec   222 MBytes   186 Mbits/sec
    [  7]  0.0-10.0 sec   222 MBytes   186 Mbits/sec
    [  3]  0.0-10.0 sec   228 MBytes   191 Mbits/sec
    [SUM]  0.0-10.0 sec  1.09 GBytes   939 Mbits/sec
    
    

    I also tryed to add another interface on the pfSensebox (OPT1, 192.168.10.0/24) and run the test again to see if it was a problem with router between subnets:

    
    C:\Users\Jacob\Desktop\iperf-2.0.5-3-win32>iperf.exe -c 192.168.100.37 -P 5 -w 130k
    ------------------------------------------------------------
    Client connecting to 192.168.1.100, TCP port 5001
    TCP window size:  130 KByte
    ------------------------------------------------------------
    [  5] local 192.168.10.8 port 50327 connected with 192.168.1.100 port 5001
    [  6] local 192.168.10.8 port 50328 connected with 192.168.1.100 port 5001
    [  7] local 192.168.10.8 port 50329 connected with 192.168.1.100 port 5001
    [  3] local 192.168.10.8 port 50325 connected with 192.168.1.100 port 5001
    [  4] local 192.168.10.8 port 50326 connected with 192.168.1.100 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  3]  0.0-10.0 sec   222 MBytes   186 Mbits/sec
    [  4]  0.0-10.0 sec   223 MBytes   187 Mbits/sec
    [  5]  0.0-10.0 sec   222 MBytes   186 Mbits/sec
    [  6]  0.0-10.0 sec   227 MBytes   191 Mbits/sec
    [  7]  0.0-10.0 sec   229 MBytes   192 Mbits/sec
    [SUM]  0.0-10.0 sec  1.10 GBytes   942 Mbits/sec
    
    

    Conclusion: When using VPN i can only get 160 Mbits/s in the tunnel. If i use compression with OpenVPN the tunnel is also maxed at 160 Mbits/s, even though the datarate is only about 20 Mbits/s on the physical interface. If not using VPN i can transfer almost 1 Gbit/s.

    CPU at pfSense when using OpenVPN with/withput compression is 21%. L2TP/IPsec = 30%.
    I also tryed adding net.inet.ip.fastforwarding = 1 but does nothing.

    Are the a fixed max speed on VPN tunnels at 160 Mbit/s or can anybody explain why im getting this performance?

    Hardware: Super Micro A1SRi-2758F, 16 GB ECC, 120 GB SSD.

    Thanks.
    /Jacob



  • Can anybody help?


Log in to reply