Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - 0x10C

Pages: [1]
OpenVPN / [SOLVED] Packet Loss on WAN when OpenVPN Speed is High
« on: May 09, 2017, 07:41:24 am »
I have a bit of a weird problem I'll try to keep it short.

I have two OpenVPN clients configured in pfSense (v2.3.4). I have them configured so that all my LAN traffic goes through one of them except one computer which uses the other OpenVPN client connection.

This all works fine, I can access the internet from any computer on my LAN and their traffic goes out via the OpenVPN clients as intended.

But if the data over any of the OpenVPN clients reaches around 50Mb/s or more both the OpenVPN client handling that traffic and the internet WAN gateway both start suffering bad packet loss. About 30-50% on the OpenVPN and 15-30% on the WAN interface.

Now my first thought was my ISP is throttling OpenVPN or something. So I installed OpenVPN on my desktop computer and ran the same tests and I'm getting 200Mb/s through it to the same OpenVPN server (across the internet) as I'm using with pfSense and this time no WAN packet loss.

So I thought perhaps it's the CPU on my pfSense box? So I ran an OpenSSL benchmark of AES-256-CBC which is what my VPN uses and got a speed result of between 195MB/s and 215MB/s (smallest 16 bytes to largest packets 8000 bytes - single thread test only). Which should be 1.5Gb/s to 1.7Gb/s.

So I'm really just kind of confused about what is going on exactly. Can anyone shed some light on this? - Also my CPU does not have AES-NI I don't know how much or how little that helps on 2.3.4 is AES-NI even utilised by OpenVPN on this version of pfSense yet or is that 2.4 only?

Anyway thank you for any assistance.

General Questions / CSRF Login Issue Solution
« on: November 20, 2016, 11:43:03 am »
I've read a few people on the IRC and on these forums that have this issue where they get a message saying:

CSRF check failed. Your form session may have expired, or you may not have cookies enabled.

And they all say the same thing, it doesn't happen when they run Chrome in incognito mode. I also had this problem so I decided to figure out what the issue was and I have found the reason for it occurring.

If you use LastPass, 1Password or another browser based automatic login filler which overrides the input method of your browser and you setup a login before you upgraded to the latest version of pfSense the Username and Password forms which these plugins try to insert your Username and Password into have changed names. (in pfSense 2.2.x -> 2.3.x).

The solution is simple backup your username and password, erase the entries in your password manager (the forms it looks for) and create new generic ones just called username and password. Now when you login using your password manager you won't have the CSRF error message etc

I hope this is helpful to someone after looking at a lot of threads on this error no one seems to have posted a solution yet but I was able to replicate the problem and find this solution with some time yesterday.

OpenVPN / Very poor OpenVPN performance
« on: June 11, 2016, 06:58:19 am »
Hey guys I'm paying for a public VPN service, so I don't control the server side only the client side.

The problem I'm having is when I use the OpenVPN Client on my desktop or laptop computers the speed is excellent around 200Mb/s consistently.

But when I use the OpenVPN Client in PFSense the speed is very low, 5-10Mb/s and if it gets any higher (30-40Mb/s) I get huge amounts of packet loss and very high latency being reported in the PFSense Status Page.

Here are two speed tests to illustrate the problem:

I did these tests within the same minute late at night when the network should have no congestion so you can really see the problem. Both my Windows/Mac OpenVPN Client and the PFSense Client are setup the same except for one difference, the Windows one uses a TAP interface and the PFSense is using a TUN interface. Apart from that they're both using UDP, same port number, same level of compression, same server that they connect to and of course through the same modem and the same ISP on my side. I have tried using OpenVPN over TCP instead and the results are identical.

Does anyone have any thoughts about what this could be? I'm also going to list my router specs although I think it's beefy enough to handle much higher speeds than this.

The router is running an Intel Haswell G3220 Pentium chip (3GHz Dual Core with 3MB Cache). 16GB of DDR3 Memory, on-board Intel NIC on the motherboard (WAN) and another Intel NIC in one of the PCIe slots (LAN). The system I'm using for both of those speed tests also has Intel NIC's from an X79 motherboard. It is equpped with a 3930K and 32GB of DDR3.

When doing the speed test on PFSense the CPU load is only around 10-15% and the RAM usage is like 2GB out of 16GB. So I'm really not thinking it's the hardware but some kind of configuration issue or some setting I'm overlooking.

By the way I'm still using PFSense 2.2.6 - I've not yet upgraded to the latest version but I do plan to soon.


Hardware / Need more than 1Gb/s LAN - How can I get there?
« on: January 16, 2015, 03:16:33 am »
I know this isn't really a PFSense specific question as this is more about the switch behind my PFSense box.

But here is my question, how can I get more than 1Gb/s on my LAN? - I've considered two options.

1. Link Aggregation - But I don't really know how this works and if it does what I want.
2. 10Gb network cards + 10Gb switch

Here is my situation, I have a desktop and a server. The server contains all my storage, 1Gb (about 112MB/s in my environment) is just not cutting it. I'd really like 400MB/s or more.

I was thinking about using Link Aggregation to bond together four Ethernet 1Gb, but I'm not sure if doing this actually gives me 4x1Gb combined, giving me basically 4Gb network speeds or simply takes a single 1Gb link and splits it across multiple ports/cables so if I had 4 ports I'd get 250Mb/s through each cable culminating in 1Gb max.

Then the other option is 10Gb. But it looks pricey. I'd need to spend about 300 on just the network cards (sourced from ebay) then I'm looking at another 130 or so for a 10Gb switch. That's if I go with Ethernet, it seems that the cards for Fiber are cheaper.

Does anyone have any thoughts on this? Am I barking up the wrong tree with Link Aggregation, are 10Gb cards worth the expense?

Thanks for any replies :)

Hardware / [Solved] In/out errors on LAN
« on: January 09, 2015, 10:45:14 am »
I've built a new PFSense system and I'm having some In/out errors on my LAN. Is this normal or do I have a port/cable issue? (I've already changed the cable and the error rate stayed the same).

This is my config map.

Modem -> PFsense -> 4x1Gb Lan Bridged -> 1Gb Switch/Access Point (WiFi + 4 Ethernet Ports).

I'm only using one of the LAN ports on my PFSense system out of the four available. I bridged the four ports as I intended to use more than one.

Here is the information from the affected interface, this is the Bridge. No other interface is showing any In/Out Error or Colossians.

Based on this the error rate is about 1.06%

Is this something I should be concerned about? I'm not having any issues accessing the internet, the speed is what I should be receiving and is identical to my old equipment. But obviously seeing errors of any kind is worrying with a new system, this is my first PFSense build also.

Thank you for any replies. It is much appreciated.

Pages: [1]