IPSec/OVPN slow using NAT
-
I struggle to get some performance from a VPN between two pfsense 2.2.5, one being a SG-4860 (pfsense B), the other a VM (pfsense A) on 1 vCore E5-26xx at a hoster. The VM has only one NIC and its main purpose is to be a VPN gateway providing me with a static IP at home (server B, 10.1.0.80).
I get about line speed in an IPSec VPN between the two pfsenses if I test from pfsense A, but roughly nothing if I connect from outside (client A) and pfsense A has to do some NAT first. I also tried OpenVPN which was much slower, but with same pattern. Any idea why the speed is so much lower for client A?
I test the performance with iperf -P 3 and get the following results:
no VPN:
client A --> pfsense A 400 MBit/s pfsense A --> pfsense B 200 MBit/s (~ line speed) pfsense A <-- pfsense B 25 MBit/s (~ line speed)
with IPSec:
pfsense A --> pfsense B --> server B 180 MBit/s client A --> pfsense A (NAT)--> pfsense B --> server B 3 MBit/s ??
with OpenVPN
pfsense A --> pfsense B --> server B 55 MBit/s client A --> pfsense A (NAT)--> pfsense B --> server B 2 MBit/s ??
IPSec pfsense A
P1: AES-128, SHA1
P2: tunnel, 0.0.0.0/0, 10.1.0.80, ESP, AES128-GCM (auto), SHA1IPSec pfsense B
P1: AES-128, SHA1
P2: tunnel, 10.1.0.80, 0.0.0.0/0, ESP, AES128-GCM (auto), SHA1OpenVPN pfsense A (server)
AES-128, SHA1
IPv4 Local Network none
IPv4 Remote Network 10.1.0.0/24OpenVPN pfsense B (client)
AES-128, SHA1
IPv4 Local Network none
IPv4 Remote Network none (policy routing) -
SOLVED: had nothing to do with the VPN configs,
but one side pfsense is on KVM and was still offloading some checksum calculations to virtual hardware. Disabling all offloading as even mentioned in the pinned pfsense Xen/KVM FAQ fixed it. Stupid me, not my first pfsense on KVM :-[