Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird vpn bandwith pattern (both in OpenVPN and IKEv2)

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 981 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ThomasH
      last edited by

      after having used pfSense 2.x for several years on an alix apu, we had to replace the hardware due to a broken disk. the new machine is a rather beefy sun server. unfortunately, the vpn traffic seems broken in the incoming direction:

      speed measurements (iperf):

      • ipv4 direct connection: client -> server: ~800mbit (0% cpu)
      • ipv4 direct connection: server -> client: ~800mbit (0% cpu)
      • openvpn udp: client -> server: ~1.0mbit (0.1% cpu)
      • openvpn udp: server -> client: ~128mbit (28% cpu)
      • openvpn tcp: client -> server: ~1.1mbit (0.1% cpu)
      • openvpn tcp: server -> client: ~199mbit (30% cpu)
      • ikev2: client -> server: 2.2mbit (2% cpu)
      • ikev2: server -> client: ~221mbit (32% cpu)

      current setup

      • topology: [client] – [1gbit/1gbit fiber] – [isp] – [1gbit/1gbit coper] – [pfsense] – [server]
      • isp provides both ftth and our rack uplink, both are symmetrical gbit connections without rate limiting
      • pfsense hardware: amd64 on sun fire x4100 m2 (2x amd opteron 2220 se 2.8 ghz dual core), 24g ram, 2x 73 sas drives; 2x 1g nvidia nforce, 2x 1g broadcom nextreme 82546eb
      • pfsense config: v2.2.6 amd64, transparent bridge mode on em0 -> em1 (broadcom), vpn services configured on bridge

      I'm currently out of ideas and would appreciate any pointers on where to look next. I have already tested the following things:

      • disable hardware acceleration
      • enforce the MTU
      • enabled net.inet.ip.fastforwarding
      • switched network ports (nvidia <-> broadcom)
      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        Check that your interfaces are properly negotiating link speed/duplex; on both ends of each link.
        A 100mbps Half-duplex link would produce what you're experiencing.

        –A.

        1 Reply Last reply Reply Quote 0
        • T
          ThomasH
          last edited by

          @awebster:

          Check that your interfaces are properly negotiating link speed/duplex; on both ends of each link.
          A 100mbps Half-duplex link would produce what you're experiencing.

          pfsense reports:

          BRIDGEIN interface (wan, em0)
Media: 1000baseT <full-duplex>BRIDGEOUT interface (opt1, em1)
Media: 1000baseT <full-duplex>LAN interface (lan, nfe0)
Media: 1000baseT <full-duplex,flowcontrol,master,rxpause,txpause></full-duplex,flowcontrol,master,rxpause,txpause></full-duplex></full-duplex>

          this matches the uplink and local switch port configurations.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.